That's why we have voting booths: so people are guaranteed to be able to vote without someone looking over their shoulder (or pointing a gun at their heads).
If people cannot vote in total freedom and anonymity, it's not a truly free and democratic vote.
We should stop trying to "solve" everything with technology. Some things should be "hard", because it's essential to get it right.
People are exposed to enough pressure just by virtue of having to interact with politically passionate people just to get to the booths. In many cases, they don't check photo ID, just evidence of enrollment.
At very least, I'd like to see internet voting implemented without low-hanging security issues, enough confidence in their implementation to open-source the code, and with the backing of security researchers and organisations like the EFF. At least if we had issues like guns being pointed to heads and potential invalid double-votes, we could discuss them in the context they deserve.
So if you're an evil person looking to pressure people to vote your way, you would make people prove their vote to you after it's too late to change it. Or, if it's not possible to verify the vote later (I believe it is possible in the estonian system), you'd make them vote at the last minute.
Am I misunderstanding something here? I don't see how this issue has been solved.
> And your hypothetical case is really a kidnapping, criminal offence, not scalable.
No, there is no need for kidnapping. Human relationships are complicated and pressure can be applied in many ways. A spouse, father, or other person can influence people in his direct vicinity. The secret ballot and requirment that only one person enters the voting booth at a time ensures that that influence does not extend to the election result.
Versus one guy and a SELECT statement.
And finally. The interest of knowing of who voted who is virtually zero. I admit that the principle of anonynous voting is good and needs to be guarded, but the real harm of leak is virtually zero too. The most bigger threat is manipulation of results.
You don't know because you haven't seen the software (or hardware) for them. You haven't because (I assume this part) you weren't one of the state inspectors, and what many (most?) of the manufacturers have done is to insist that no one ELSE be allowed to view the details since it's a "trade secret".
So maybe there is excellent logging like you describe. And maybe there isn't. We DO know that there have been occasional incidents of invalid vote reporting by the machines (such as  or ) that were not caught by such log systems.
As René Magritte might have put it, "Ce n'est pas le logiciel". You haven't seen the software - you've only seen source code that may resemble what is running when you cast your vote.
And I don't really care what logs are kept, because any such log is one dodgy programmer, one bribed sysadmin, one lost private key away from being totally or partially compromised.
The system we have works and would require the complete and flawless cooperation of thousands of conspirators -- including mutually hostile, cross-checking party officials -- to subvert the outcomes.
We already have voting by mail, of course, but this way you get to wait until election day to cast your actual vote and it is too easy to connect the vote to the voter.
The issue with a gun being pointed to the head could be solved rather easily by issuing every voter a random number of votes and marking on as special (perhaps it comes in another envelope). All none special votes are automatically ignored, so you would gain nothing by pointing the gun at somebodys head.
This also solves the software trust problem: allow an open specification and an API test endpoint and somebody will write an open source voting program. As a bonus the software could submit the votes to an api at all the registered parties and any news org so that everybody could agree on the count.
Every voter gets a ballot mailed to them far in advance of election day along with a booklet outlining the benefits/consequences of measures we're voting for, what each potential representative wants to do, etc. You can take the time to research all available options and make an informed vote, then mail your ballot in at your convenience or drop it off at any library.
Far, far better than having to get up early in the morning and being around people who might attempt to grill you before/after you vote. Less chance of votes being manipulated since there's a paper trail, too.
I really don't know why the rest of the US doesn't do it this way.
Edit: relevant link on insecurity of voter registration in "the United Kingdom's shambolic electoral system": http://www.bailii.org/ew/cases/EWHC/QB/2013/2572.html
There's far less social pressure when you can fill out your ballot whenever and wherever than needing to line up somewhere and deal with the social pressure of voting "properly."
No method is perfect, but I think the issues with mail-in ballots are nowhere near as bad as the problems voting booths present.
Is it information-theoretically impossible to devise a cryptographic protocol that allows all the desired properties of voting (verifiability, anonymity, preventing double-votes, ....)?
I recall that there exist some protocols that provide at least some of those.
If it's not impossible then it's not unpatchable. Someone just has to come up with the right method to do it.
I don't know anything close to enough about ElGamel to comment on their implementation with any authority whatsoever, except to note that it looks very different to others I've seen. The challenge/proof parts in particular look unusual to me - I haven't spent a lot of time looking into their implementation, so it could just be parsing failure on my part, but it doesn't appear at first sight to use the usual fiat-shamel method other ElGamel implementations I've seen tend to.
But yes, computer security certainly is a problem. But I think it's not intractable. We manage to get online-banking to work with acceptably low compromise rates despite huge monetary incentives to attack them.
So maybe if they handed out small, non-personalized cryptographic devices (similar to TAN generators) that can do all the essential operations and talk to a smartphone to retrieve a ballot and submit the vote then e-voting could work.
It would essentially be your own little portable voting booth. It's important though that the device should be separate from the key used to vote, so you could swap devices and re-cast your vote if you consider it compromised for any reason.
The threat model for coercion-resistance is providing proof to someone after you have cast your vote.
The threat model for anonymity is that an observer - either a 3rd party or someone colluding with the voting authority - that does not have access to the voting client itself.
Voting-at-gunpoint coercion as threat model cannot really be defended against because it basically implies that the attacker has full control over the voter. Even some scheme that would allow vote retraction/recasting wouldn't help since the attacker could simply keep threatening the voter until the election is over.
Let's say you're in the voting booth and have taken the picture. You can then do at least one of the following:
- Exchange your ballot for a blank one and fill it out again
- Fill in the check box and vote for your real candidate
- Spoil your vote
But if somebody works out how to steal an electronic vote, such a solution is likely to scale, and to compromise the outcome of the election, which would have a massive collective impact.
"The NSWEC believes that unfettered access to source code by the general public would not be in the best interest of the State" (http://www.elections.nsw.gov.au/__data/assets/pdf_file/0003/...)
This apparently matters so much that it was specifically criminalised:
"A person must not disclose to any other person any source code or other computer software that relates to technology assisted voting under the approved procedures, except in accordance with the approved procedures or in accordance with any arrangement entered into by the person with the Electoral Commissioner. Maximum penalty: 5 penalty units, or imprisonment for a term not exceeding 6 months, or both." (http://www.austlii.edu.au/au/legis/nsw/consol_act/peaea19123...)
From back in May last Year:
"NSWEC is working with voting provider Scytl [http://www.scytl.com/en/] to improve the use of cryptography. It will also incorporate a verification system in which encrypted votes are sent to both NSWEC and an independent auditor, allowing two sets of data to be compared to ensure votes have not been tampered with."
Interesting that on Scytl's website NSWEC isn't listed as a customer. [http://www.scytl.com/en/customers/]
I've been going through the CryptoPals challenges with Node.js and have hit a few snags, virtually all of them involving types. I've switched to TypeScript and things have gone much smoother.
The crypto module does add some padding unexpectedly, though I'm not knowledgeable enough to say if that's according to spec or not.
The Chief Information Officer of the Electoral Commission, Ian Brightwell,
claimed Halderman and Teague’s discovery was part of efforts by “well-funded,
well-managed anti-internet voting lobby groups,” an apparent reference to our
friends at VerifiedVoting.org, where Halderman and Teague are voluntary
Advisory Board members.
Yet at the same time, Brightwell concluded that it was indeed possible that
votes were manipulated. Happily, despite criticizing the messengers, the
Electoral Commission admitted that there was a FREAK flaw with iVote and
scrambled to promptly patch it.
So what is South Wales doing wrong here, you know, other than trying to let people vote over the internet, which is a horrible idea, only perhaps matched by the absurdity of our current generation of e-voting machines? I understand their hands are not clean in many other regards with this program, but patching their cipher suite just doesn't seem newsworthy...
BTW, an open source voting machine platform (for use at the polling station) sounds like a great project for USDS or 18F.
The only correct response now, on the other hand, is the immediate firing of this "CIO", who clearly does not have the mentality necessary to be a CIO or a public servant.
"In the New South Wales Legislative Council election of 1999, the Outdoor Recreation Party's Malcolm Jones was elected with a primary vote of 0.19%, or 0.042 of a quota."
Of course, realistically, what probably happened in this case was more to do with party preferences and backroom deals, because you can give the voters an awesome voting system but then they'll just turn around and ask someone else to tell them what preferences to give anyway...
FYI, it's New South Wales (NSW). Nothing to do with the lower portion of Wales in the UK.
It's like, even if I convince every human being alive that I am not bound by the laws of gravity, if I jump off a cliff I will die all the same. To think otherwise is insane, but for some reason when it comes to software (and hardware) security we give people like Ian Brightwell a pass.
If they denied the hole, or tried to cover it up, or did anything other than fix it immediately upon learning about it, really, that's the most we can hope for.
Did they slander the researchers?
I think this is a bad attitude, but I would agree that it could be (and too often is) a lot worse.
Was this sarcasm I missed? If not what is so horrible about allowing voting over the internet? To me the concept it brilliant if executed well. Especially for engaging the populace in non-compulsory voting countries where people might avoid casting their vote if it's going to take significant time commitment or simply they have other commitments such as work etc.
Voting on general purpose PCs is so exploitable as to not be funny. What percentage of the electorate are running unpatched XP?
>In Estonia the pressure issue is solved. One can vote as many times needed. When first vote was given under pressure, one can vote differently later. As many times is needed. Internet voting is not possible on the voting day, only before. That assures that when one has no possibilty to vote without pressure in internet, one has possibility to vote traditionally. Traditional vote overturnes e-vote.
This would also solve the bribe issue. And not to say there aren't issues. I feel the opportunity outweighs the risks personally as long as good practise in the system is followed. The biggest risk in my mind is blatant exploit by the person in power of the system, much like todays rigged elections.
 - https://news.ycombinator.com/item?id=9332157
Ensuring that remote voting is not done under any form of duress or monitoring seems essentially unsolvable.
Incidentally, voting in state elections is compulsory in NSW so your example doesn't fit this case either way.
South Wales is in the UK. NEW South Wales is the state where Sydney is, in Australia.
And if you, in an Internet comment, dare to suggest that Estonia's system isn't airtight and hyper-secure, you'll get mobbed by Estonian trolls. :/
The irony is that a world leading electronic voting system was developed by Andrew Tridgell, who lives in the ACT, which is a stone's throw from NSW (in any direction) . The NSW Electoral Commission was quite free to download the GPL source code and use it as a base. I gather the GPL'd system has since been replaced with a proprietary one by the commercial partner, with the proprietary system being released under the same name .
Of Samba, Rsync, rproxy, KnightCap, hacking Tivo, SourcePuller and a host of others. Also COMP8440 at ANU ~ https://www.samba.org/~tridge/
Unfortunately the NSW contract ended in lawsuits back and forth with the NSW Government trying to reclaim the project cost and eventually (arguably) led to ERG's demise. Sad that a successful Australian company, a leader in it's field, able to deploy complicated systems worldwide was (in part) taken down in it's own backyard by a (in comparison) pretty straight forward project.
In western liberal-capitalist democracies, politicians are paid above average wages, but not enough to deter doing deals behind the public's back with real estate developers, corporations, and many expect a role in business after retirement from politics, in return for doing many favours during their tenure for those very businesses.
You could almost argue Singapore has a benevolent dictator, but that is definitely not true for Western liberal-capitalist democracy. Instead I find this article more descriptive: http://en.wikipedia.org/wiki/Corporatocracy
Logically yes, but practically there are many examples proving that increasing salary only have minimal effect or, in turn, increase bribe size. Just to name few examples:
Bribe size is increased, frequency is decreased, which is what you'd expect from increasing salary of a public official for the purpose of reducing corruption.
Take it to the extreme and increase their salary to USD$1m per year, and the frequency could drop to 0 or 1, and the price could be $10m, so fewer instances of corruption would happen because fewer people can afford it.
Public officials are also people. Most people have the same inherent desire to be good, and yet most are vulnerable to same temptations. The reality is not dictated by law.
Of course, good enforcement and punishment of corrupt behaviour is also required.
Rule of law and simple, transparent regulations are way more important than occasional voting. Especially if people can still vote with their feet.
Seriously though it is indeed concerning the way both major parties are heading with this, even if they had the best intentions its a nasty path.
Not sure. At least China gets investment in infrastructure done.
Less an illusion of accountability than a public intimidation tactic.
1) Open-source code. That's how you find the bugs and build confidence.
2) Opt-in privacy. Ballots could be like Facebook-posts - public by default, with optional privacy. After the election closes, the results would be posted on the web where everyone who voted publicly could verify that their own vote was counted correctly.
All ballot boxes are numbered and a tally of votes cast is kept. Each box is sealed in the presence of party scrutineers with numbered tags and signed for. It's sealed and tagged again before shipment. Each is opened and signed for in the presence of scrutineers.
The number of ballots is compared to the number of names marked off the electoral roll at each booth.
If a sufficiently large irregularity occurs, one of the political parties will take the matter to the Court of Disputed Returns, which can force fresh elections. This happened recently because several ballot boxes for Federal Senate votes in Western Australia were lost by the AEC. The number of votes in question were enough to leave the 6th Senate seat in doubt, so the Court voided the election.