315 comments

[ 4.5 ms ] story [ 312 ms ] thread
I have a way to make it better. I think combining old-fashioned checks and balances, with technology controls can make online voting about as secure as it is today (maybe more) and anonymous.

To make it anonymous, its really just a password. When a user registers to vote, they create an online account. On the days that a user votes, they log into their account and create a ballot. They then create a password for the ballot. This password hashed with a salt, and than hashed with their registration id becomes the unique id of the ballot. This way, at any time a user can login and view their vote... but that vote is not reversible to the voter.

Now for the checks and balances. 3rd party non-governmental parties should have a real-time replication of all data. (it's like an exit poll, but more reliable). Any time a registered voter creates a ballot, 2 things happen. An email is sent to the record holder, and a mail is sent to the address on record. Combine this with a public viewable record of all votes + registered voters who voted online (this information is already public) we should have a good idea at what business is going on.

Perhaps we can't prevent hackers, but this should be sufficient to know if a hack occurred. Of course, all software should be open source, so we can continue to make it more secure.

I think it's more secure than what is available today because today, I can't look at what is on public record as my vote. If someone changed it after I cast it... I'd never know.

If I knew someone would use it, i'd write the software.

Interesting. I'm no subject expert so I can't critique this, but it sounds better than other online voting systems I've heard. I like the checks and balances in place too.

Now I only skimmed this article, but I feel like most people who argue against online voting use arguments about how insecure it is that already apply to what's happening right now (voting software is a black box, can be hacked, etc etc, this also describes current voting machines). The only difference is there isn't a single voting db or site somewhere for people to manipulate a large number of votes (which like you said is protected as long as people can verify the open software / data).

Yes paper does have indelible properties but paper doesn't scale well, and having a paper counting machine introduces the same black box that people use as argument against current voting machines. Yes security is an issue, but scalability is also an issue.

not scaling well is a security feature!

it's a lot harder to steal and alter 5000 ballot papers than 5, which is not the case with electronic systems.

True, but not scaling well has its drawbacks in voter participation and data management, no?

Like the post above me said, isn't the risk of peoples votes getting switched OK as long as people can verify their vote value?

Only to be discovered later that NSA is spying on your votes too.
Electronic voting is an entire field of research. As with cryptography, do not come up with your own methods.

Here are some problems with your method: allows coercion (is not receipt-free), violates vote secrecy (attacker can just force voter to reveal password), allows ballot stuffing, allows partial results (no voting under equal circumstances), probably completely relies on server for "security" of passwords, salted hashing orly?, hash tied to voter by timing info, ...

There are voting schemes (the more sophisticated ones are cryptographic, but interestingly there are non-cryptographic voting schemes like Punchscan that have interesting properties) that address these. But it gets fairly complicated fairly quickly, and at some point normal voters won't be able to make sense of them. The cryptographic voting schemes also tend to get computationally unwieldy, e.g. by requiring huge mixnets.

Is there any solution where I can verify my vote, but someone can't coerce me into showing them?
Probably not.

You could make it anonymous - the unique combination of your vote, your key, and the election blockchain could produce a password unique to you. This would allow you to verify that your vote was counted, but would not allow anyone else to do so - if they coerced you, you could run your key, the blockchain, and the opposite vote and produce a different password and your attacker would be none the wiser.

But then if you find that your password has changed, how do you prove it? I don't think there's any way to prove election fraud without violating election confidentiality, even for paper ballots. How do you propose stopping election fraud with paper ballots? The current defense is merely "it is hard."

(comment deleted)
Yes, with end-to-end voting you can be certain that your vote wasn't modified but you can't prove to someone whom you voted for https://www.cs.jhu.edu/~sdoshi/index_files/randomness_paper....

Using interactive proofs you can know that the machine won't modify your vote, and using zero-knowledge proofs plus a distributed key you can decrypt and randomize, being certain that votes haven't been lost and without revealing whom people voted for.

Additionally with a public ledger like the blockchain, you can be certain that your vote is there (checking your signature), and when votes were cast.

Using something like colored coins you can ensure that no additional votes are created.

The problem that I do see with remote voting is that I could be right next to you when you vote and coerce you to vote for the person that I want

Natanael_L I just skimmed through it but will read it later today. I worked on a prototype earlier this year implementing the blockchain part, not secure yet, specially it doesn't implement the end-to-end encryption. Anyhow you can read about it here and there is a link to the video of the prototype https://medium.com/@jagbolanos/votosocial-org-towards-an-e-v...
Well we already have mail-in voting and coercion could happen at some shadier physical locations.

Would it be possible to add another vote that invalidates the first, but preserves anonymity? Then there's no guarantee that someone doesn't just revote.

There are electronic means if you're a crypto-nerd, but for the general public, paper ballots suit. You know your vote is marked to your preference when you put it in the box, and no-one can make you prove it one way or the other. You should also be able to stick around (or get someone to stick around for you) and confirm that the box you used is included in the counting, should you desire to.
I've been talking with people involved in elections in Honduras and they explained a technique that is normally used for paper ballots. It's called "La Cadena" (the chain) and it works like this.

A person goes to the voting center and gets a ballot That person goes to the booth and marks the ballot That person skips entering their ballot and goes out Shows the ballot to the coercer, verifying the vote The coercer gives the ballot to the next person The next person gets another ballot and has the previous one hidden. That person introduces the new ballot, hides the old one and goes out. And the chain goes on.

Apparently it's a common way to coerce votes in low income urban areas and rural areas. You only need distraction or complicity from a person from the voting table and it's hard to detect.

Another common issue is vote stuffing.

On the philosophical part, it is in the end a human problem, but with technology at least you should reduce the possibility of cheating

It's also trivially easy to defeat this. Here in Canada, your ballot has a counterfoil with a number on it. That number is only removed immediately before you deposit your vote into the ballot box. This ensures that the ballot you deposit is the same one you were given by the polling clerk.
An interesting tactic, but that kind of coercion would also work with online voting - standover men forcing you to vote on their computer, where they can see and track you. I imagine this would be particularly effective in poorer areas with less access to computers.

Complicity is always going to be hard to work around (it's the primary fault vector of electronic voting), but it seems 'the chain' wouldn't be too difficult to detect - the standover men would have to farm the ballots from the outgoing people and get them back into the line going in (but again, complicity to look the other way...)

Vote stuffing is easy to workaround - have the ballot papers custom-marked as they're handed out.

> technology at least you should reduce the possibility of cheating

Technology also opens up lots of new avenues for cheating. It also has the problem of not being understandable by the layperson if they have to manage it in any way at all.

I can't see how that in any way can be anywhere near secure enough. Online voting for anything important, is a bad idea.

https://www.youtube.com/watch?v=w3_0x6oaDmI

They are describing a system that can't be hacked by a single individual because there would be a third party with a record of every vote.

The video you cited uses a poorly planned and executed example of an online vote.

The US voting systems are also a poorly planned and executed set of systems.

Electronic voting of any kind is dangerous, it's amazing how much trust is used in any voting but how little can be afford when it's electronic (online or in person machine based).
Are you saying you would be able to look and see what you voted for or just a hash of your vote? One important part of a secret ballot is that you can't sell your vote OR prove who or what exactly you voted for. (This is prevented by vote-by-mail ballots which could theoretically be sold, but it's worth considering for future systems.)
http://www.openvotingconsortium.org/our_solution

Stops Secrecy in Vote Tabulation: OVC has a team of scientists ready to program computer software for voting machines and electoral tabulation that would be publicly owned or open source. Open source software could be checked by any party or group by hiring a capable computer programmer.

Provides Paper Trail: The OVC recommended procedure for tabulating elections relies on a paper ballot that is then fed through a scanner into a locked ballot box so that all originals are saved in case of the need for a recount or audit (See Sample Ballot).

Scientifically Verifiable: In addition to open source voting machine and tabulation software, the Open Voting Consortium is also working on a database checklist for standard practices in vote tabulation that would assure transparency and accountability. Some aspects of the OVC concept will soon be enfolded into California legislation.

Saves Money: Typical voting machines cost between $2,000 and $3,000, but OVC open source software could be run on any personal computer (PC) and ballots could be printed on a normal printer. OVC envisions PCs with tamper-proof cases as the new voting terminals at a savings of hundreds or thousands of dollars per terminal.(See page on OVC Cost Analysis).

https://www.youtube.com/watch?v=q8CSKdMTARY OVC at LinuxWorld 2008

Recounts and Audits are only as good as those running the recount and audit.. See Chicago, Arizona, NYC, etc, etc, etc, etc, etc....
There's an important property of democratic voting that you're missing: Not only Computer Science PhDs with cryptography experience should be sure their votes aren't manipulated, everyone needs to be.

That's much easier with physical systems.

I just look at the state of internet "security" and that tells me all I need to know.
Can I assume you also have the expertise to comment on the physical security of current voting systems by comparison as well?
Exactly.

Most arguments given against online voting systems are equally valid arguments against in-person voting and especially against mail-in ballots.

Those arguments are the red herrings.

Not really. Whilst paper voting fraud is definitely possible - maybe even easier than online fraud - in an election, paper ballots are distributed across an entire country. They require "hacking" 1000's of people in order to corrupt a national vote. Computer hacking just requires breaking the security of one application.
You can't bribe open source.

I find it hard to believe that a modern identity infrastructure (which we don't have, admittedly) combined with basic cryptography can't get us where we need to be.

We might not be able to cryptographically prove anonymity, but all it takes is trusting the government to anonymize the data correctly and make it secure in transport.

> trusting the government to anonymize the data correctly and make it secure in transport

Large banks don't always succeed at that. The government makes huge mistakes all the time. What makes you think this is possible?

The issue is that perfect security is impossible either with physical or digital voting. All we can do is minimize the consequences of an inevitable mistake or breach.

You can still hack open source though. Some of the highest profile security projects like openssl get hacked. Sometimes it just takes a simple misconfiguration to get hacked, like with Debian a few years ago.

The point is, computers provide a single point of failure. Bribing enough of a country's electoral officials to shift a vote without being detected is immensely more difficult in comparison to finding a zero-day in some voting software.

The only guarantee that open source provides, is that we'll probably find the bug eventually. A malicious state actor that wants to influence an election has absolutely no incentive to let people know that they've found a vulnerability with any sense of alacrity.

> all it takes is trusting the government to [...]

Wait, what? All the system requires is trusting the incumbent government with the security of our vote?!

And the fourth Reich lasted forever.

The problem is harder than it sounds when you're talking about something as high-value as a national election (especially in the US).

Have you read "Reflections on Trusting Trust"?

Yes. And the recent paper on backdooring CPUs by adding individual transistors.

You have to make some higher level assumptions in practice or you won't get anywhere.

Yes, you can. Current voting systems are completely open to the public and simple enough for the average person to understand.
The biggest problem with online/computerised voting is that it is a single point of attack for malicious actors. Even the best software security gets broken from time to time, online voting would allow zero-day attacks on elections - an absolute disaster.

Whilst standard paper voting may also be subject to fraud, it takes the manipulation of thousands of people in order to alter ballots across a whole country. Computers just need the one hack.

You're choosing a suboptimal attack spot in your paper voting attack scenario. Instead of manipulating the thousands of people around the country who count & send out the results of those booths, it's easier to manipulate the far fewer people who do the aggregation for final results.

Also a computer voting system that is exploitable via "one hack" is inexcusably badly designed. Yes hacks happen & adversaries have zero-days, but it's possible to build a computer voting system that is highly resistant to those scenarios. As a very simple example: have a standardized vote format that will be counted by three independently implemented systems, each on a different OS, running in parallel. A great system will go to far greater lengths for protection, but this should already show that a simple "one hack" wouldn't work.

It's still a 3-point of failure versus a thousand in a paper vote.

I've seen the British election many times, there are hundreds of people in the counting hall for every district. They count, then they shuffle the ballots around and have different people recount. It would take the bribery of thousands upon thousands of people. People who are under constant scrutiny, not just by those around them, but on TV also.

A computer is almost trivially suborned in comparison. Even our most important pieces of security software, such as openssl and others, get hacked from time to time. If such hugely important - massively used, massively tested - open-source projects get hacked, why on earth would you want to risk computer voting?

It's just standard programmer NIH hubris; we think we can do it better, therefore we should.

I've counted votes a couple times before and can tell you that where I come from in the US recounting is minimal (if done at all). We pair up with a person of our choosing and then count and recount. Collusion is trivial. Just make sure the total counts add up and that your results aren't so wildly disproportionate from the other people's that they'd get reexamined when all the pairs' numbers are summed.

I don't know what you mean by scrutiny on the TV - are local polls counted live on television in the UK?

Yep - this is the kind of thing:

https://www.youtube.com/watch?v=XydeHaqxBbg

It's almost impossible to imagine that someone could bribe that many people to influence an election in the UK. There are 650 seats with over 100k population per seat. I just can't imagine it being bribable on a large scale. Maybe some tiny constituency in a tiny district might get influenced, but the absolute smallest is about 20k votes. That's very difficult to rig.

But you don't have to bribe 100k people. You just have to bribe/influence 50,001 people (and I know that's not exactly true, this is based on a US two party system, not the variety of parties in the UK, but hang with me here.) And in reality, it's as the saying goes for Baseball. "Every team is going to win a third of it's games, and every team is going to lose a third of it's games, it's what you do with the last third that makes a difference."

Every party is going to have a large number of supporters and a large number of detractors, it's what you do with the unaffiliated votes that matters.

Now I'm really going to talk out of my ass, in a horrible, gross generalization with no support to back me up; I'd guess that for many elections, it's less than 20% of voters who actually decide the fate of their country/district. And since we're talking about voters (not citizens or residents/people), we're then talking about an even smaller group of people you must influence. That's why bribery, voter intimidation and pure old fashioned marketing matter; You don't need to get everyone on board, only a much smaller percentage of key voters. Isn't democracy great?

Some UK seats are marginal. You only need to manipulate a few dozen votes to influence those seats.

That's much easier to do.

>It's just standard programmer NIH hubris; we think we can do it better, therefore we should.

It's not NIH at all. Electronic voting has not been implemented sufficiently. It could be done. It's not about doing it better, it's about doing it at all. It's not-invented-anywhere hubris, and that's plenty of reason to do something.

People aren't much harder to manipulate than machines, and they're also just as transparent. There is no fundamental reason to believe computers can't be more secure than humans when it comes to collecting data and tallying it.

To be done sufficiently, you need to not only prove that your system is fair, reliable, scalable, tamperproof, anonymous etc., but also that you system actually runs. That combination is nigh impossible. That is the fundamental reason, bootstrapping that trust. Imagine you have a 100% open source system, cryptographically verified etc. How do I know that is actually what is running in the voting box?
Secure multiparty computation.

You trust that the right software runs, because unless multiple mutually distrusting parties runs the EXACT SAME software in the same configuration, nothing will happen at all - and they'll hopefully never agree to collude on running anything but the officially agreed upon version.

https://roamingaroundatrandom.wordpress.com/2014/06/16/an-mp...

So who do you trust enough to be distrusting parties? This to me seems to be the same problem as making it proof of work: if the incentives are big enough, the scheme collapses. Look at the creativity that lead to caging and other forms of voter suppression
Contesting political parties. That's exactly how it's done in many countries already.
Not sure. I did consider the risk of bureaucracies becoming cemented within the participating organizations, leading to a harmful drift in values.

But you really only need each department to live for as long as the vote is active, so you can dismantle them and reassemble them afterwards each time. Hopefully that would prevent the establishment of dangerous practices and attitudes.

Whoever is managing it must be held accountable, and must work in full transparency.

> it's easier to manipulate the far fewer people who do the aggregation for final results.

It is but parties have their watchers spread around the country to report counts to their central. Any substantial difference will be noted and end up in a recount.

What saves us is the mistrust between parties. With internet voting watching each other would be more difficult. Actually I believe that there will be no internet voting where parties really don't trust each other. There will be internet voting were parties are very naive (almost impossible for politicians) or they somewhat agree not to rig the elections (again, too naive to believe?) or to decide them in advance.

> [...] it's easier to manipulate the far fewer people who do the aggregation for final results.

That problem can easily be solved with transparency. In Germany I can do my own tally of the election results as every state reports the votes down the individual polling station. For example, here are the results for Berlin from the last Bundestags election: https://www.wahlen-berlin.de/wahlen/BU2013/ErgebWahllokale/w...

I can also observe the count at my local polling station. They are required to announce their results orally after they're done counting and I can confirm that this is the result reported online.

I've been an election helper and I've always checked that the results online match those that we reported. I never did my own tally, but if the results are close I'm sure someone does them.

My biggest worry isn't about software security. My worry about online remote voting is What is to stop physical coercion of the voter?

When you have to gather at a centralised polling point to anonymously vote you can be damn sure no one is standing over the voter's shoulder twisting their arm while they vote. If you are voting remotely via a computer screen who is to know?

(comment deleted)
I've seen the following idea implemented: You can cast your vote as often as you want with only the last one counting. Sure, in practice there are a lot of things to consider to make it foolproof and it might be impossible to do securely - I don't know. But it's worth considering.
It would help against forced votes. But it's useless if some lazy person wants to sell his vote. With regular voting, there's a minor barrier in place. The incentivized voter has to go to the polling station and bring back some kind of proof. With online voting, someone could just take his ID (or e-signature device) and vote himself. The voter selling his vote may even don't know whom he "voted" for. Furthermore, someone might buy those signature devices off homeless/addicts/etc and build a massive voting farm.
We already allow remote voting for anyone who wants it.
Voting is done by entering a short key. No characters appear on the screen. Only last vote counts.
Physical coercion is possible also with paper ballots. A modern approach is to ask voters to shoot a picture to their voted ballot. No picture, big trouble.

For that reason taking a picture of our own voted ballot is a crime in Italy. Obviously is a crime also to ask people to do that. Cameras are not allowed in polling places and smartphones should be left outside the polling booth. However nobody asked me to do that the last time I voted. I remember they did many years ago. There were many phones lined up on the desk of the president of the polling place.

Not a fool proof system but a little helpful: In Germany you can request a second (and a third, and a fourth...) ballot.

So fill out the first with fake vote, take picture, ask for second (first one is destroyed), fill out second with desired vote.

This obviously breaks down when the person coercing you is with you in the polling station.

(comment deleted)
blockchain tech solves your problems.
>Whilst standard paper voting may also be subject to fraud, it takes the manipulation of thousands of people in order to alter ballots across a whole country. Computers just need the one hack.

And yet it remains far easier to hack a human administrator than to hack the system they administrate.

So it's really 1000 easy hacks vs 1 really hard hack.

It's easy to create online voting systems that guarantee a correct result. You just didn't think about it hard enough.
Some of the people behind 'wijvertrouwenstemcomputersniet' (we do not trust voting computers) are active in the CCC and have some pretty good arguments on why electronic voting really is a danger to democracy.

https://www.ccc.de/en/tags/wahlcomputer

The link between electronic voting and online voting is a strong one and one would expect the online voting situation to be far more suspect to all kinds of trickery than the one where the voting computer is set up in a booth. Even so, there are some unique ways in which a voting computer in a booth might be manipulated to give incorrect results that do not apply to online voting, but I don't think it matters much, as soon as it's just bits & bytes and audit trails who watches the watchers becomes the real issue.

Any voting system without anonymity and a way to do a re-count and some physical proof is fundamentally broken.

I agree with some of the arguments against online voting. However, it isn't really realistic to do re-counts right now, nor do people do them regularly. If the people doing the counting are bought then that is an issue too.

Both ways suck right now.

One thing that I would like to see is an open source, standardized system though.

There was/is an effort towards this right now.

http://www.openvotingconsortium.org/our_solution

Stops Secrecy in Vote Tabulation: OVC has a team of scientists ready to program computer software for voting machines and electoral tabulation that would be publicly owned or open source. Open source software could be checked by any party or group by hiring a capable computer programmer.

Provides Paper Trail: The OVC recommended procedure for tabulating elections relies on a paper ballot that is then fed through a scanner into a locked ballot box so that all originals are saved in case of the need for a recount or audit (See Sample Ballot).

Scientifically Verifiable: In addition to open source voting machine and tabulation software, the Open Voting Consortium is also working on a database checklist for standard practices in vote tabulation that would assure transparency and accountability. Some aspects of the OVC concept will soon be enfolded into California legislation.

Saves Money: Typical voting machines cost between $2,000 and $3,000, but OVC open source software could be run on any personal computer (PC) and ballots could be printed on a normal printer. OVC envisions PCs with tamper-proof cases as the new voting terminals at a savings of hundreds or thousands of dollars per terminal.(See page on OVC Cost Analysis).

https://www.youtube.com/watch?v=q8CSKdMTARY OVC at LinuxWorld 2008

> However, it isn't really realistic to do re-counts right now, nor do people do them regularly.

Australia uses paper ballots, and every election there's a seat or two somewhere that there's a recount. The major parties get their volunteers[0] to scrutinise the officials as they count as well, so you have multiple opposing interests scrutinising the actual count. Every vote basically gets at least three pairs of eyeballs on it. The officials and the watchers observe the ballot boxes all the way from the booths to the counting areas. It's difficult to come up with a more robust way of doing an actual public election, though there are some minor drawbacks.

And as far as I'm aware, this system is actually cheaper (per capita) than the US electronic systems. I imagine the 'low tech' nature is where a lot of savings happen - little need for technical skills.

[0]'Scrutineering' is boring as hell, but parties already lean heavily on their volunteers, what's one more thing?

The US has been down that road, and I forgive you for not knowing this (as you're Australian). But let me introduce you to Hanging Chad.

https://en.wikipedia.org/wiki/Chad_(paper) https://en.wikipedia.org/wiki/Florida_election_recount

Although, calling this system a "Paper ballot" is not quite the truth. While it uses paper as the medium, the hole punching method is non-traditional in relation to basic written checks/X's or even scantron selection (which also has issues). But my point is that even "simple" and "low tech" methods can still have unexpected issues, such as the infamous Florida case.

UK here, it's just a cross on a box. Nothing as complicated as these hole punching machines.
Italy here, it works in the same way. Parties have their watchers. I expect this to happen in every country, unless there is only one real party and the others are there just for the show.

In every paper based system problems can arise outside the voting site: parties can buy votes but that's the same with internet voting. With the internet and computers an attacker has the benefit of changing a vote every 1,000, on the client or on the server or on the network (MITM). That's enough to win many close elections. I wonder how parties could watch against that. Are we going to end up with computers with rootkits for every major party fighting each other for the right to vote on our behalf?

The paper based system guards against vote buying through the guarantee of secrecy. I go into a booth on my own, make my mark(s) fold my paper, and put it in a locked box. No one but me knows how I voted.

If I go in with someone else, the officials will take action.

You can try to buy my vote, but I can just take your money and vote however I want.

If I can vote from wherever I like, then someone can stand over my shoulder and watch me vote, then only pay for it if I do as I'm told.

> If I can vote from wherever I like, then someone can stand over my shoulder and watch me vote, then only pay for it if I do as I'm told.

and this scales?

If it's digital, software can be written to verify it. Or even vote on your behalf, asking you only for the credentials.
Sending a vote buyer knocking on doors and watching people vote when they happen to be voting is not very scalable. However, party activists and pollsters already do the first part. Adding the second isn't a massive leap.

However, there are situations that might scale better.

A business owner or manager might strongly persuade their workforce into voting the "right" way, by getting them to vote at work. This would scale quite well in a non-office environment, where you might suggest to your workers to come and use one of the few computers you have (for their own convenience, of course).

Another option might be some kind of party, where you invite people to come and vote for your candidate in exchange for payment. This could work quite well to gain the votes of the poorest in society, who may otherwise find it difficult to vote (no internet at home, can't easily get to the polling station).

Remember, those who care enough and are decisive enough to vote early in the day, are not the target of vote buyers. The people whose votes you can buy are those who wee possibly thinking of not voting at all, or those yet to decide as the polls are closing.

Think about the scalability of the other side. At the moment, you have a few people per few thousand voters sitting in the designated room for those voters, watching out for violations.

Both of these intimidation/buying activities would be illegal, and would certainly not be endorsed by the actual party in question, but by rogue individual supporters of the party. However, detection and prosecution of offenders will be far more difficult and time consuming.

Having to detect and prosecute these irregularities after-the-fact would also mean that elections may have to be invalidated and redone (possibly ad-infinitum) when a violation has happened, if you just remove all the illegal votes and recount, then what about all those voters who did vote with their conscience, but just happened to do so in the wrong place. Then what do you do about the actions of the illegally elected in the interim?

The quasi-standard protocol to sell a paper vote is photographing the marked ballot inside the booth, before putting it in the box.
You can photograph it, then spoil it before putting it in the box.
> However, it isn't really realistic to do re-counts right now, nor do people do them regularly.

About half of the states require by law a recount by hand at a random selection of voting locations.

> If the people doing the counting are bought then that is an issue too.

That's why you have hostile observers from opposing parties present.

> open source software

So you have the source. Now prove that it is installed at both the client and server. Then prove that the operating system, bootloader, and every other part of the computer you need to trust is actually loading and running your software properly.

Difficulty: Volkswagen showed it's easy evade inspections, and good luck proving anything on a system with Intel ME. Do you know that there isn't an extra core or ROM hidden inside one of the chips?

> > If the people doing the counting are bought then that is an issue too.

> That's why you have hostile observers from opposing parties present.

That's probably why GP wrote "bought", not "asked nicely to miscount in their party's favour".

That said, it's probably a game neither party would like to play too much, as it seems it could spiral out of control and turn into a race to bottom, sucking out more and more party money.

>> That's why you have hostile observers from opposing parties present.

Even though observers are supposed to behave in an impartial and accurate way, partisan observers help ensure accuracy by their partisanship.

If an individual counter is bought by Party A, observers from Parties B and C are there. When the teller puts some of Party C's votes in Party A's pile, Party C is there to bring it to the attention of officials. If it is likely to be close between A and B, and a teller puts a spoiled, party D, or independent paper in A's pile, then B will note it.

Once these things have been raised, they are recorded and read by more officials and observers. That increases the number of people you need to buy off in order to effect a change in the result, which in turn increases the chance of being caught or having to buy off someone who cannot be bought in your favour.

Fundamentally you could buy people off. However you'd need to get the people counting, and the officials, and people in different parties, and not be spotted by any of the public that watch. And then do that again, simultaneously, in thousands of other locations, and not get caught or have anyone you tried to buy out go to the police.
I don't get the complexity the US creates around voting. I live in a fairly large city (Berlin, Germany, around 3 million I believe).

- I walk 150m to my polling place. It's similar for most people.

- I've never waited more than 5 minutes

- The polling place is run mostly by volunteers, about 5 or 6 per place, with civil servants filling spots that can't be filled. Costs are neglible.

- I get a paper ballot, I mark my vote with a pen

- After 6pm I sometimes return and watch the counting. I can freely walk around between the people sorting the ballots and look at anything I want

- Did the same with friends last time around, we each had a bottle of beer, nobody cared. They were mostly older people happy to get a few visitors and talk a bit of politics.

- Pretty accurate first results (not exit polls) usually around 9pm.

- I can check the counts from my polling place the next day. Votes for the large party are in the lower 3-digits, so it's possible for me to specifically verify a few results.

Poland here, same process. Well, I don't think I can actually watch them count, but then again, I never tried.
In France, if you can vote, you can even count, and people can volunteer when they cast their ballot. The president of the voting station will usually also ask young voters to help.
Voting procedures are handled at the state level, subject to terms from the federal government regarding basic access and fairness, so there is a lot of variety. I lived for twenty years in CA and I could have said the same thing about my polling experiences except for doing the counting (you can volunteer to be an elector and after some basic training do so, they just don't let the general public wander in to the best of my knowledge.)

Experiences vary.

One issue is the cost and logistics of it all. In Sweden we therefore have three different elections on the same day. Campaigning tend to focus on the national election, thus the others gets a back seat and quality suffers.

Also, I've helped some smaller parties with the ballot distribution. It's not a small task for a small party to ensure each an every polling place in the country has ballots. Just the physical logistics of it is hard enough, but then you also have to deal with all the people who seem to think that only established parties has a right to participate in the election in the first place. The barrier to entry is quite high. Perhaps that is a feature though.

I have a question: Does every party has to supply a seperate piece of paper and the voter then chooses which piece of paper to put into the ballot box? What do voters do with the non-chosen ballots, i.e. how is the secrecy of the vote protected?

The system I know from Germany is that there is one ballot per election and the voter puts a mark which party/candidate they choose with a pen on that.

Yes. Three actually, if you count the different elections. On the ballot is a list of names representing the party so you can vote for a particular candidate by marking the name.

Usually people pick a set of ballots for different parties to bring behind a screen where the choosen ballots are put in the envelope for the box. The non-choosen ones you can pocket to keep secret. Some people tend to leave them in the booth though.

Here's what most people that are not from the US don't understand:

When I go to vote on election day, I'm not voting for one person/party or even three people/parties. The typical ballot in my neck of the woods is double sided and has ~30 questions: National elections (President, HoR rep, maybe senator), state elections (Governor, SoS, local rep/senator, corporation commission, referendums/ballot initiatives), county elections (sheriff, judges), city elections (mayor, city council, dog catcher), and funding questions (bond overrides and the like). I'm probably forgetting an item or 10 on that list.

I never had 30 elections on one day in Germany (I think 5 was the absolute maximum) as we elect fewer positions in general and don't combine most elections on one day. Usually the federal election is the only vote on that day with some states specifically moving their state election day by one week to avoid a clash. The only usual combination is regional/European elections or state/regional elections for the small states. Referendums (there only a few) are usually tacked onto another election if there is one in a reasonable timeframe.

The elections each use a seperate ballot (and often seperate ballot box) and are counted one after the other with the most important election being counted first while the rest is still locked away in sight.

But yeah, for 30 ballots that system might break down.

I live in White Plains, NY, which is about 45 minutes north of NYC. My experience is similar to yours. But the US is a big, big place. I wouldn't be surprised if your experience has more to being in a major city, than in Germany. That is, what is the experience in rural parts of Germany? Poorer parts of Berlin?
Looking almost exactly the same. Rural (well rural in Germany is not the same as rural in the US) polling places might have 100 voters assigned instead of 1000 and people know each other but that's about it.
Australia had open source voting machines in 2003

http://www.wired.com/2003/11/aussies-do-it-right-e-voting/

If we can bank online we can vote online, not that hard. Not perfect, but better than paper voting, that's full of bugs

How do I verify that the machine actually runs the published software?

With online banking there is a paper trail of every action taken. If we want secrecy of the vote that's suddenly a lot harder to do.

Not really, you just have to be given a number that you can later match, no one has to know that number is you. Could even digitally sign things.

I propose a system where each vote is broadcast to multiple counting organisations, to avoid the counters being biased, and each vote is numbered, but only the voter knows that number so they can check with any counting organisation that it was recorded as they wished.

E-voting makes better forms of voting cheaper, instead of just First Past The Post. Preference voting for example.

If you just give out a number you suddenly open up the system to voter coercion. I can actually prove to you how I voted. Also, as a voter I can't be sure that they system that gives me the number does not save the link between it and me.

For preference voting you don't need e-voting. Using computers to help you count ballots (with an analog check and fallback option) is possible without actually collecting the votes electronically.

Much more of an issue that people don't vote than people sell their votes, which they do indirectly anyway.

Does anywhere use computer printed ballots?, to avoid ambiguously filled out ballots.

Computer creates PNG, you print that, or it's printed at a station, you carry that paper to the vote counting machine, it's optically read, (and read by humans if you wish) without errors because it was just printed by a computer

One of the biggest problems with evoting machines is that the voter has no way to guarantee that the machine has correctly recorded their ballot.
Which is why the voting machine should print a paper receipt which in plain text tells what vote you cast; this receipt is then deposited in a ballot box.

If a result is disputed, simply count the paper ballots like we do today.

And since you can't know that the computer actually recorded what was printed on your paper receipt you have to dispute the result by default if a good democratic process is important to you.

So if you have to count the paper balloty anyway, why even bother with spending all that money for a voting machine?

There's at least two reasons, possibly even three:

a) Unless the outcome balances on a handful of votes, chances are noone will contest it. (If the result shows 47% to Party A, 32% to Party B and 21% to Party C, whereas polls showed 46% to Party A, 33% to Party B and 21% to Party C, chances are the result is fair.

That being said, yes - I think it would be good if just about anyone could contest the result and have a recount done - at least if they had to foot part of the bill, so that not every curmudgeon in the Kingdom would claim recounts just for the hell of it.

b) A voting machine system would enable one to have a preliminary result ready in seconds after ballot stations close, rather than today's system where, based on the size of electoral districts, results may be delayed by several days.

c) If properly designed, a voting machine could assist the user in creating a valid ballot; I've volunteered as an electoral clerk several times - we have had to dismiss surprisingly many ballots as there is simply no (approved) way to determine voter intent. A few checks before the vote is cast would likely improve matters.

If it's printed paper ballots, you have merely created a very expensive pencil. There isn't any benefit of using a computer+printer.
Unless the result is contested you have saved an amount of counting effort which could be a cost saving. Though I suspect it would take some time for the ROI of implementing such a system to work out positive.
> Unless the result is contested

By law a representative sample of sites are recounted by hand in about half of the states.

> you have saved an amount of counting effort

The ballots are already optically scanned.

> cost savings

A handful of pencils per-voting-booth is far cheaper than any computer+printer solution.

> > Unless the result is contested > > you have saved an amount of counting effort

> The ballots are already optically scanned.

If the result is contested then I presume that this scanning may also be under suspicion (of being faulty or having been somehow doctored deliberately).

> > cost savings

> A handful of pencils per-voting-booth is far cheaper than any computer+printer solution.

Why is why I mentioned the time for ROI to become positive. The electronic counting will save time (man power for the initial count, the need for recounts, and just wall-clock time so the results are available earlier) but the cost will be high. At some point perhaps the solution will pay for itself in time/resources saved but it will take quite a while if at all.

> I presume

Maybe you should study how elections are actually implemented instead of making assumptions. I suggest watching the talk I linked to in my top-level post.

> this scanning may also be under suspicion

Obviously. Hence why it's important to recount the paper ballots by hand. This is also why about half of the states require confirming the reliability of the optical scanners with a random sampling of hand counts.

> At some point perhaps the solution will pay for itself

No, it won't. Computers per-voting-booth are always going to be a lot more expensive than an optical scan tabulator per-site.

Also, because a computer+printer solution involves a lot more devices, you will need a larger amount of testing by hand recount. You are increasing the workload.

Unless the result is contested you have saved an amount of counting effort which could be a cost saving. Though I suspect it would take some time for the ROI of implementing such a system to work out positive.
Printed paper ballots can remove ambiguity. Did the person spoil their vote, or did they really mean to vote for X, Y, Z?
I'm not going to claim that "current" electronic voting machines are good, but the article makes no convincing arguments beyond an "I am a computer scientist" appeal to authority that it "couldn't" work. Honestly if you are going to talk about the problems involved in voting at least discuss some of the interesting anonymity preserving and deniable cryptographic techniques people have come up with- ring signatures, blockchain verification, etc. Maybe he's just assuming the powers that be would never let an actual trustless system get into play. If I can manage and view my money trustlessly with, e.g., bitcoin (and verify all transactions back to the original block) then there is no reason I shouldn't be able to do the same for votes - and verify all votes back to the original block.
Online voting is quite different from electronic voting machines. I've heard it being referred to as i-voting (online) vs e-voting (electronic voting machines).
Thanks I didn't know those terms.
I always thought a large cipher blockchain would be a pretty good idea. One could argue that "analogue" voting also has many vulnerabilities in the voting stack.
There was some allegations from Kansas statistician Elizabeth Clarkson on voting anomalies.
Um, I don't think there is much legitimacy of elections right now. How the fuck did Trump buy his way into the Republican party for one? Do I really think my vote counts right now?

"Online voting could threaten the fundamental legitimacy of elections?"

The author does have some valid points, I just thought it was funny that some people think our elections are legitimate.

Do you believe the majority of GOP voters support Trump?
Maybe OT, but why is one of the requirements for a better voting system "anonymous"? What's wrong with a voting system in which every citizen's vote is transparent and available? Seems like it would be much less susceptible to fraud and easier to audit that way. I don't see a problem with anyone seeing how I voted!

Maybe I am missing something?

In a system where your vote can be verified, you can be coerced into voting a certain way.
As a special case of this, one might see the mild "coercion" in simply being uncomfortable with going against the grain by voting for something that others strongly dislike.
The votes do not need to be public. It should only be verifiable to people that know your key.

That does not solve actual coercion, but honest peer pressure isn't a problem.

In a system where your vote can't be verified, there's no way to assert that

- your vote went to the candidate that you chose

- all votes come from actual human beings

Politicians can rig votes without coercing anyone, so I guess that's a plus.

That could be avoided by generating a new identity for each vote.
It enables candidates purchasing votes
I don't see why this is such a bad thing. It happens anyway, let's just be honest and own it.
The only difference right now is that we don't receive a penny of the money spent on voting campaigns.
(comment deleted)
Thanks for those (other comments) - it seems obvious in retrospect. As someone whose vote cannot be bought these things don't occur to me. :-)
I'm not looking to buy your vote. But should you choose poorly come Election Day, maybe me and the boys will pay you another visit.
This is based on the premise that we have a democracy in the first place. There nothing really to endanger here.
Andrew Appel (CS Prof. at Princeton) gave a very good talk about the problems of voting systems and why internet voting is a terrible idea.

https://www.youtube.com/watch?v=abQCqIbBBeM

The secret ballot with counting observed by all parties is a technology that evolved out of necessity over hundreds of years. Adding more technology adds complexity which is the same as adding more attack surface.

The thing about online voting that has always gotten me is that it violates the ideals behind the "Australian Ballot." [0] ie, one should have the right to cast a secret ballot, and doing so in a public polling place at least theoretically guarantees this.

With online elections, there is no proof or protection of this. For me that's the most important thing. Full Stop. Security implementations, hacking, etc. are all secondary concerns in my opinion.

[0] https://en.wikipedia.org/wiki/Secret_ballot

note: As a True Capitalist(I say sarcastically), I've actually come to believe in being able to sell my vote (I'm quite serious), which of course, the secret ballot precludes me from doing. After all, if I'm going to be forced to essentially only choose between the lesser of two evils, I should at least be able to profit from the poorly designed electoral system.

I actually "back of the napkin" calculated this for the last presidential election, and I believe it came down to something like a rather pitiful $3 for each presidential vote (forgive me, this was a while ago). Of course,once you add the other elected positions, this increases, but I believe it was still generally under $20 per vote. I did not take into account geographic discrepancies (different number of positions up for election/different amounts of money spent on highly contested elections, etc)

This is not an issue with online voting, and paper voting does not guarantee that right either.

In Estonian e-voting, you can vote as many times as you want, only your last vote is counted. A week after online voting is closed, there is still a paper voting day, where you can go and override your online vote with a paper vote in the traditional booth. If you were coerced to vote a certain way online, you can still go to this private booth in a public polling place to place your "real" vote.

There are ways to check your vote even in a public polling place. Let's say you need to take a picture of your voting paper before you leave the booth, and you have to send the picture to the person coercing you. The person coercing you is standing outside the booth so that you can't walk back and forth to ask for a new paper.

There are some good reasons against online voting, but most of the obvious ones you can think of are already solved.

In Estonian e-voting, you can vote as many times as you want, only your last vote is counted. A week after online voting is closed, there is still a paper voting day, where you can go and override your online vote with a paper vote in the traditional booth.

So they can unambiguously tie a specific vote to a voter, yet nobody is concerned about the possibilities of retribution against certain voters?

Yes, they can at some point in the flow unambiguously tie a specific vote to a voter. Postponing the "separation" to after the paper ballots have been cast is then a simple trick. How it works is they encrypt the vote (using assymetric encryption), and then sign that datapackage with the private key on your ID card.

Once the votes need to be counted, the signature is removed, and all the resulting encrypted vote data is then sent (without identifying information) to a third server which has the private key to decrypt the votes. They are decrypted and then counted. This third server has no access to identifying information. The server stripping votes from identifying information has no access to the decrypted data.

You assume that a coerced voter has the freedom to go to the polling booth later to override a vote.

What about coerced voters who are the victim of domestic abuse[1][2]?

[1] http://www.theguardian.com/politics/2001/jun/02/uk.election2... [2] http://www.fahrenheit211.net/2015/12/04/oldham-was-it-the-be...

Exactly, so it is at least as secure against coercion as current methods.
No, it's not. The paper system allows you to spoil the vote after taking the picture. You can't do that with the digital system.
Which is still coercing your vote. Not to mention normal postal voting is also susceptible to the same problem, and I bet we'd all agree that's much less secure, yet we still use it.
The key claim is: there’s no way with any reasonable amount of resources that you can guarantee that the software and hardware are bug-free and that they haven’t been maliciously attacked

The same could be said about other electronic systems that already govern lives, like planes, cars, phones and medical equipment.

And yet life goes on.

But those things do go wrong all the time. Luckily they don't dictate who controls the entire country.
Except half the country is not doing everything possible to bring every plane under their control. With the the other half trying to resit with little regard for the safety of the passengers. Security and transparency is far more important when humans are in conflict.
I don't see a way we can have a direct democracy without facing the dangers of online voting.

We either trust in our politicians to represent us well, or trust in software we will lobby to peer-review.

Beyond that we trust the majority won't vote for stupid things.

I feel that our fears are misplaced towards the wrong kind of voting machine, the one that collects the vote. The other kind, the one placing the vote, is far easier to manipulate. Facebook and Google have the mechanisms at their disposal to influence elections globally, and within a couple of election cycles could probably have the world's democracies more aligned to the interests of the US.
(comment deleted)
That's what I was thinking, although I don't think Google and Facebook are a problem as they can only provide slightly different choices from within a narrow range that people are already interested in. It's the relentess torrent of brainwashing across all media which frames people's opinions and doesn't allow them to think seriously outside of the narrow choices (2 party system, pro/anti [issue]) which ensures that there'll never be change which actually makes a difference (ie the environment, religious crazies controlling nuclear weapons, increasing gulf between rich and poor, companies subverting democracy via lobbying and trade agreements).
Can't you do something with multi-stage voting on multiple independent machines? A way to do error correct coding and consistency enforcement such that no one malicious machine can successfully alter a vote?

I'm thinking smartcards could make it reasonably easy to use, where you simply repeat your vote to some degree and where the chip verifies that the voting machines are all saying the same thing.

Well, the way provisional ballots and vote by mail flaws have been exploited is also a danger to democracy.
I'm strongly against online voting. The problem #1 is buying and manipulation of votes. Security and/or anonymity is much smaller issue IMO.

In my country, barely 50% of people vote. Most people don't care about politics. "Incentivized" votes is a huge issue there. People are routinely brought to polling stations and given a thank-you beer on return. Agitators are using all kind of borderline-blackmailing techniques on older/less educated people.

Online voting would make this A LOT easier.

I think there are big opportunities here for the extension of democracy. Democracy as it stands is quite weak - technically a Polyarchy, meaning that elected officials make decisions which we ratify. This could mean citizens could participate in decision making.

The same reason is why the government and many people will try to oppose it, because greater democracy is a threat to any power system.

The reason why people feel disconnected from politics is by design. The rulers don't want the people to participate, they want them passive.

Do you really want citizens participating though? I have no clue about what it takes to run a state and I'm not a lawyer and can't really read new laws. Also, I have a job and very limited free time that I don't want to spent on keeping up with new developments in politics.

So my opinions are likely very biased and quite useless for the political process. Even elected officials seem to have a hard time reading all the things they vote on, letting Joe average vote on almost everything seems like a recipe for disaster to me.

>I'm not a lawyer and can't really read new laws... Even elected officials seem to have a hard time reading all the things they vote on...

And yet you're expected to follow them. All of them. Ignorance is no excuse and lack of criminal intent is no defense.

We've got a bigger problem here than how the votes are cast.

When Austin gave its citizens the task to make a decision, they voted against uber/lyft, and now both companies have left the city. Currently feeling like we shouldn't give more voting power to citizens on everyday issues, since the media and lobbies can get people to do crazy things like give up easy cheap and safe rides.
Uber and Lyft spent millions of dollars in campaigning to make people vote in their favor according to the reports I've read.

If "media and lobbies" can get people to vote in their favor, why didn't the side with the money and lobbyists win the vote?

Funny how any time a vote goes your way it's democracy, but any time it goes the other way it's "the media" and "special interests" and "lobbyists" that perverted the system. I am extremely pro-Uber, but wasn't Uber's own marketing partly to blame for the outcome of that vote?
Yeah, democracy can suck when you disagree with the majority opinion...
> Ignorance is no excuse and lack of criminal intent is no defense.

For many, many crimes intent is indeed a requirement.

I think this issue could be overcome by a proxy/delegate style system. With the ability to change proxy/delegate at any time, we would have ongoing accountability and move away from the problems of election cycles. Even better from a representation viewpoint (but more complex from a design viewpoint) is the option to have different proxies/delegates for different decisions/topics.

The real problem is balancing tradeoffs, particularly between spending and taxes. Currently (in Australia at least) the size of the expected budget defecit is a crude metric for the overall financial responsibility of the government and is a factor in elections. If citizens can vote independently for spending versus taxes, then there is nobody to hold accountable (tragedy of the commons).

> I think this issue could be overcome by a proxy/delegate style system.

A proxy system should have an automatic expiration (1-month, 1-year, etc) as well.

Look up the Swiss style of democracy. They have elected officials for day-to-day tasks and frequent referendums for subjective matters. From what I saw, their referendum campaigns are great. You can make your own opinion with an hour or two of research, tops. Even with the very limited time, IMO few hours a year is worth it to be more involved with shaping your own society. Best of both worlds.
Look up the situation in California with referendums. More direct democracy is not always wine and roses.
Yes, for instance, Prop 13. Though it sounds good to voters, the actual results are terrible.
Our Swiss Constitution was based on California's. We added cooling-down periods and made referendums binding to the Legislature, not directly law.
> Do you really want citizens participating though?

What is the alternative? Some aristocracy deciding matters without any consent from the citizens?

If you get any alternative that's actually better than the citizens participating, I'd love to hear it.

That is almost exactly what we have now. I'd hope citizen participation would be an improvement but I'm not certain. Populist positions can be good, but they can also be disastrous -- look at Trump, his brand of populism preys on the most base and vile aspects of human nature: hate, bigotry and racism and he intends on enacting policies which will inarguably be horribly destructive to the very fabric of the country and arguably the world. If we had direct democracy, what makes you think we wouldn't just get more of that? A lot of the principled stands that keep the country in one piece are not widely popular.
This is what we have now. We just have a saying on what lizard will rule.

Do you think everybody voting for Trump would vote for his hateful policies? I'm not on the US, but it looks to me that Trump gets most of his approval from his "I'm not one of the lizards" PR. If people didn't have to get the entire package, it's very likely they would be critical of those worse parts.

I'm not sure if I'm reading your comment correctly. I totally agree we should aim towards educated and politically active society. However, educated bit should come first. Then we can start making it easier to participate. Tiering the barrier of coming to polling place won't educate people by itself.
This comment papers over a huge problem. How educated is educated enough?
Yeah, I'd imagine the founding fathers would see today's voting populace as quite educated, relative to theirs...
How do you get those educated citizens when it's against the rulers interest?
Agreed. In 100 years people will look back at how basic our democracy had become. One choice from a selection of two, every 4 years. This dissociation with current issues is dangerous.

As democracy develops and citizens start to participate, we become more responsible for our decisions.

Buying votes is orthogonal to online voting. One can buy offline votes as well.

If anything, online voting system can let you "change your mind" later, robbing buyer of vote they paid for.

Sure votes are bought offline too. But it's much more difficult.

The people who sell votes don't care to "change their mind". They get their reward and they're happy with that. People who would bother to change their mind, don't sell their votes in the first place.

Why would it be much more difficult?

The difference is "upload a photo of your ballot" versus "upload a screenshot of your vote".

The usual scheme is, buyers pick up sellers and drive them to polling places. Police is usually on the look out for cars that frequent the polling stations. Or park just around the corner. The sellers usually are homeless-ish/addicts/etc. Large amount of such people raises awareness. Sometimes approaching such people and asking what's up is enough. They don't bother to lie and just tell they sold their vote to some guy in black BMW for €xx.

Now if online voting was allowed, the buyers could just take the seller's signature device and do voting himself. 100% the vote is correct. No possibility to get caught at polling station. The sellers don't hang around the polling station, thus less chance to raise awareness.

In addition to that, buyers could buy the device en masse from the addicts/homeless/etc and have a ready-to-use voting farm.

All in all, yes offline vote buying happens and it's not rocket science. But online vote buying would be much easier, quicker and less chances to get caught.

"could just take the seller's signature device and do voting himself"

That's identity thieft, which should be punishable by a few years behind bars.

Also, make those signature devices tethered to receiving whatever equivalent of Social Security payments, and addicts/homeless will not let anybody lay a finger on it.

> That's identity thieft, which should be punishable by a few years behind bars.

When the holder of the identity agrees, it is not a theft. Of course it is still criminal, but how could you reliably enforce that?

Identity is non-transferrable. It's theft all right, albeit with different victim.

Once one of those addicts complains that you're using their ID, you're a toast.

As I understand it, there's a similar scheme in Oregon's vote-by-mail mechanism. You can buy someone's mail-in ballot, vote the way you want, and have them sign and submit it.
That's why it's illegal to take a photo of your ballot, at least in most states in the U.S.
Wow, if it is illegal then it won't happen.

They should make killing also illegal.

It's also illegal to become a cat burglar and pull a mission:impossible-style break in to alter votes after they have been cast.

it's very cynical and defeatist to argue that we should never try any solution that is not 100% perfect.

Taking a photo of your ballot paper is a criminal offence (at least where I am) and one which can only be committed at a specific physical location and time. In other words, it's a crime with a very low payoff (an individual vote can't be worth very much money), and a relatively high risk of detection.

The risk of getting caught taking a screenie in the security of your own home with no pollwatchers and election officials around is much, much, lower.

You can take a photo of the ballot with the "correct" box marked and then spoil it (eg. by marking all boxes). That's what I'd do if I was coerced to vote for some candidate.
I think you've stumbled across a bigger issue - democracy is fundamentally broken since no one has any incentive to vote correctly.

I know a lady who's a likely Trump voter. But she also donated money to Hillary in order to get the "woman card". https://shop.hillaryclinton.com/products/the-woman-card She's pretty honest that it's just entertainment for her - like voting on American Idol.

Think about how many elections have been swayed due to "I support Obama because I'm not racist", "Bush looks like a cool guy to get a beer with", "boo yeah Trump - take that liberals who look down on me", etc? (Amusingly, neither Bush nor Trump will ever get a beer with you, teetotalers both.)

People get away with this because their vote doesn't matter. If they vote wrong, they won't lose anything. So why not just do what makes you feel good? You've got no skin in the game.

I just finished reading Kant's perpetual peace. He says something like "war protects from despotism".

I'm a Finn. During the cold war we we're situated right next to Leningrad, but still pretty much free-trade capitalist liberal democracy. Our country has very little corruption, very good primary education, free health care, conscription and long line of very very well liked past presidents. Everybody had skin in the game.

Suppose you vote wrong for some national socialist who will destroy the economy and kill the muslims. How much will you, personally, lose? I.e., multiply your actual losses by the probability of your vote affecting the outcome.

Now compare that number to the 1 Euro worth of tribal satisfaction/self righteousness/other positive feels you get from voting for that national socialist.

In contrast, consider a true "wisdom of crowds" situation. When I hold irrational views about share prices, the stock market immediately takes my money and gives it to people with rational views. Bad decisions result in immediate losses in direct proportion to how bad the decisions are.

You need some goal to correctly target that "wisdom of crowds". So first we need democracy to set the goal: Gini-index vs. Pareto efficiency. Freedom vs. security. Protection of personal rights vs. right of group self determination.

Then throw into the equation some very polarizing stuff like abortion, drugs, animal welfare, inheritance tax, immigration and whatnot. Then watch as some political entity loots government budget while people are arguing. This happens in Finland too now that Russia is weak.

Maybe representative democracy is broken (there are reams of good texts written about it).

OTOH direct democracy may be not as broken, since the effects of voting are much more immediate and local. See Switzerland that constantly keeps voting against populist measures like lowering the retirement age. It lasted ~850 years so far, longer than almost all European states and 100% of American states.

Switzerland is compact, but even then it's a pretty loose union, a confederation with important laws significantly varying between its many cantons. This system is more or less imaginable in the US with a more restricted federal government (despite the size that was the rationale for the current multi-step representation system), and hardly even imaginable in highly centralized states like France.

People have generally not established direct democracies throughout history for a reason. I personally never want to see a direct democracy in the US, because if you want to have your faith in your countrymen destroyed go spend an hour sitting on a bench outside a Walmart and just watch humanity at work.

The vast majority of people are borderline illiterate emotional animals. You don't see or interact with them because they exist in their isolated silos of service work and personally proffered bars and TV stations, but the number of rational informed actors in any given election is in a steep minority.

I don't know the Swiss well, but I'd hope they have a much better culture to support direct democracy than what the US has, because the US would be a disaster. Islam would be banned, Hispanics would be kill on sight, police would be given heavy artillery to demolish drug dens. Whenever any international news of any kind phases the country there would be immediate over-reactionary laws passed to diminish liberty and perpetuate a culture of fear, because that is a large part of what we have now, and giving that animal brain legitimacy on the national stage would be a global catastrophe.

> borderline illiterate emotional animals

This may be true in some cases; this is why I think universal vote, without any limitations, is not a good idea. Voting is a privilege and a job of running (a small piece of) your country. Compare it to a jury duty.

This, again, may be false in some cases. Unless the voting process is framed as a sports match (like it usually sadly is), the emotions are much easier to keep in check, and reason is easier to listen to, even without an advanced university degree.

OTOH if you don't trust your countrymen, I wish you all the luck in importing infallible Martians to help you rule your country as e.g. a king. On this planet the only way used to be growing and educating some portion of your countrymen to be able to run the country (without running it into the ground). This applies to kings and dictators to a very high degree. This as well may apply to a wider mass of voters.

I suspect this is what happened to the Swiss: centuries of local self-rule and rather immediate consequences of it, combined with living in rather harsh conditions most of its history, must have educated people not to take the voting lightly. I don't see modern Swiss killing Muslims or Hispanics on sight (it's not the Reformation wars time), but I do see a ban to build minarets [1]. Apparently the fallout was pretty small, without a "culture of fear", Muslims fleeing the country or something like that. Sometimes a minority has to listen to the majority; it's best when the compromise is as small as this ban. Regular not listening to the majority and alienating them makes for what you fear: the mob running over the castle of the highly-cultured but insolent lord.

[1]: https://en.wikipedia.org/wiki/Swiss_minaret_referendum,_2009

Direct democracy is still broken. If I vote wrong I suffer nothing, but I may gain positive feelings.
The point of voting is usually to determine what is right or wrong. If you're a god having all the answers, you need devotees that just obey your scripture, not citizens with a privilege to vote.
"People get away with this because their vote doesn't matter."

Why doesn't voting matter? Gerrymandering? The money race? Duverger's Law? The electoral college?

Because your vote has essentially 0% chance of altering the outcome. Hence your expected cost from choosing wrongly is 0% x something = $0.
democracy is fundamentally broken since no one has any incentive to vote correctly.

Correction: democracy is fundamentally broken when no one has any incentive to vote correctly.

Your argument against democracy is based on one single implementation, and a pretty flawed one at that. Maybe take a look at how other countries implement proportional representation, or where the political landscape is diverse enough that no single party usually gets a majority on its own (e.g. most of northern Europe).

I am copy pasting my article's reply for the sake of debating this.

I, like you, live in a country were barely 50% of the population vote. This is exactly why I think Online voting is good for democracy. Essentially, more people will vote:

I am strongly against the view of the author.

I see that the majority (or a large portion) of voters are fanatics that vote based on affiliation and fanaticism, not policies nor experience.

Ie. The voting numbers are largely biased towards the political fanatic crowd.

I see online voting as a way to increase the number of ordinary people that vote. Getting the voting population to 80%+ or more is good for democracy. I see this as a positive.

Saying Online voting is a danger to democracy is like saying autonomous cars are a danger to safety.

Yes, if the autonomous system doesn't work and is made with loopholes that allow dangerous stuff, it will pose a danger. But if made to work fail-proof, it will be infinitely better.

There's no point in saying something will not work if your only argument is based on the proposition that it's going to be broken before it's even used.

Sure, an unsafe car is not safe. The only way to make it safe is to make sure it's safe.

The only way "democratic" online voting will work is to make sure it's "democratic".

Corruption and incompetence are indistinguishable.

Electronic mediated systems are utterly infeasible to audit. Among other reasons, many failure modes are silent.

The good standard for election administration is the Australian Ballot (private voting, public counting), administered per precinct (distributed), counted onsite when the polls close. It's observable, there's a physical chain of custody (that can be verified), it has the largest attack surface area (increases the cost of attack).

On the privacy note, only the Australian Ballot preserves voter privacy while ensuring a public count is possible. Postal balloting, touchscreens, online voting all remove the secret ballot (otherwise they could not be verified).

Most votes are already bought and manipulated by the handful of people who own the television coverage of the election, by tilting that coverage in favor of their favorite candidate.
Well he should try http://agoravoting.org
How does this guarantee a secret ballot, i.e. that voters remain unable to prove to a third party that they voted in a particular way?

Low-value elections don't necessarily need secret ballots, but it's important for high-value elections, like selecting the POTUS.

Just a reminder: democracy is not a panacea. In fact, the founders of the U.S. were all very concerned about democracies. Democracies inevitably lead to mob rule and chaos. That's why we created a representative republic.

We resolved that by creating a layered system, where small, local groups have frequent elections for things that have great power over their lives, and up the chain we elect national representatives much more infrequently to handle big picture things with little impact on daily lives. We also created a senate at all the levels, which is responsible for the architecture of the system itself (which is why we had the state political parties choose senators. Likewise, using this same theory, you would have local governments choose state senators).

Didn't work out that way, but that was the solution implemented at the founding of the U.S. Worked okay for several decades. But nobody wanted a democracy. In many ways that's worse than a single-person dictatorship.

So regardless of the technical issues, democracy itself is fraught with problems, even in groups as small as 100-200. Unless those problems are acknowledged and dealt with, the "online" part won't matter one way or another.

Terrifyingly, Estonia thinks it is such a good idea they use it in national elections.

A good look at potential problems with their system is here: https://estoniaevoting.org/

Here is a response to this "independent" report: https://www.ria.ee/en/e-voting-is-too-secure.html
Wow, this is a rather… childish response. It doesn't actually rebut the claims being made, they seem to dismiss everything with “so what”, as if they do not actually understand what is wrong. And the rest of the post is just deflection by making ad hominems, or complaining about things that weren't what the researchers said.

For example:

> 1. Debian Linux packages were downloaded from a place that the experts didn’t like.

> So they should’ve been downloaded a distro from a .ru or .su website?

They should have been downloaded over a secure connection and verified. Do you know what a MITM attack is?

> 2. The icon of a poker website could be seen on the desktop (was it actually a poker website or ‘an icon similar to the icon of a poker website’?).

> Of course, having this icon on the desktop of course discredits the user of that computer, their country and the entire European Union.

That they have gambling software, whose legitimacy is uncertain, installed on computers used for preparing servers for elections is concerning. Why introduce another possible threat vector?

> 4. The WiFi password of the local guest network could be seen on the wall.

> Oh dear, because the election servers (with the telephones and computers of all guests) are certainly connected to that WiFi network, their ILO ports greedily open.

No, the election servers aren't connected, but the computers used to prepare data for the election servers are.

> 5. The cameraman who shot the audit filmed an elections observer in such a manner that his password was captured on film.

> We do thank you for this observation – we will improve our cameraman’s training – but this is an error of the supporting process (the audit) and not the main process (the elections).

So? You've still had your password compromised.

I could go on.

They should have been downloaded over a secure connection

That's not how apt works. The connection is assumed unreliable, the verification happens after download with the Debian keyring (already installed, and can be independently inspected and verified).

Sure, apt is secure. However, I don't think that's what's being discussed. If I remember correctly, the researchers were complaining about how Linux ISOs were downloaded, not packages. (The writer of the rebuttal seems to be confusing these, which is, again, concerning.) To quote their paper:

> Despite procedural safeguards, an attacker who strikes early enough can introduce malicious code into the counting server by using a chain of infections that parallels the configuration process. During pre-election setup, workers use a development machine, which is configured before setup begins, to burn Debian Linux installation ISOs to DVDs. These DVDs are later used to configure all election servers. If the machine used to burn them is compromised—say, by a dishonest insider, an APT-style attack on the development facility, or a supply-chain attack—the attacker can leverage this access to compromise election results.

> We experimented with a form of this attack to successfully change results in our mock election setup. We first created a modified Debian ISO containing vote-stealing malware intended to execute on the counting server. The tainted ISO is repackaged with padding to ensure that it is identical in size to the original. In a real attack, this malicious ISO could be delivered by malware running on the DVD burning computer, by poisoning the mirror it is retrieved from, or by a network-based man-in-the-middle.

> During the setup process, election workers check the SHA-256 hash of the ISO file against the SHA256SUMS file downloaded via anonymous FTP from debian.org. Since regular FTP does not provide cryptographic integrity checking, a network-based man-in-the-middle could substitute a hash that matched the malicious ISO. However, this hash would be publicly visible in videos of the setup process and might later arouse suspicion.

(https://jhalderm.com/pub/papers/ivoting-ccs14.pdf)

seems relevant:

"We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too."

https://www.youtube.com/watch?v=TuW4oGKzVKc