That's not exactly 'more fundamentals'; it's a much shorter, less informative, and more biased piece. The linked article goes far more in-depth, is far more objective, and after reading through the first 5 articles I feel a little bit more edified about the issue.
Now I understand the core beef: that a schema change to this voting software caused all votes to be stored in their relational DB as doubles instead of ints, and a good way for observers to verify that an ordinary election isn't behaving as a weighted one behind the scenes was never added, which makes this voting system insecure and not what a reasonable person would consider "observable".
The article you linked, on the other hand, made me feel patronized, skeptical of the author's central premise, and a little bit uncomfortable.
I don't see what the problem is. Fractional vote transfer is a basic feature of Single Transferable Vote (STV) elections. Although there's no reason to do any counting on the voting machines themselves in that case, just recording the ballots.
The problem is when it can be enabled in elections that do not use Single Transferable Votes, and discovery can be plausibly denied as a configuration error (oops, it's still set to weighted voting from a previous election and wasn't reconfigured correctly).
"Harris found the “DOUBLE” setting in all GEMS databases from all states for version 1.18 forward. Looking at older GEMS databases, version 1.17 and before, votes were instead configured as whole numbers (LONG INTEGER)."
On top of that, they claim that there's also specific functionality to deal with rounding in the output results - why would anyone do it if they honestly thought that votes are always integer. In fact, they even present an email discussing the implementation of this, so it wasn't exactly under the radar.
This is why we absolutely do not need electronic voting (or electronic vote counting) in any way.
Paper voting (with polling locations distributed to balance load) with hand counting and verifiable addition operations to get the final vote counts is what is needed.
Having voted in person at town hall, and then having helped count the votes, I know that it is doable - just like any other laborious task is doable with enough people involved. Electronic voting just doesn't buy you anything more than risk - all at the cost of verifiability.
The other advantage to hand counting with a neighbor nearby is that there is a strong penalty for manipulating the election - your neighbor will notice. These machines make it way too easy to manipulate elections at mass scale without detection.
Those systems are made by massive companies with a hugely vested interest in NOT screwing up because screwing up would massively screw up their revenue.
That's significantly less important than voting. And the incentives are properly aligned: the bank is responsible for making its systems secure, and if they lose your money they have to refund it. Voting? Not so much. Lost ballots? "Woops :) sorry."
If the voting machine vendor executives faced actual personal serious jail time for botched counts, I might be more inclined to trust it. Then again, I bet you a tenner they'd suddenly have a lot more fail safes in place.
Aligned incentives is absolutely, 100% required for anything to work in our society. It's what we're built on. Otherwise you will always be swimming upstream.
> Aligned incentives is absolutely, 100% required for anything to work in our society. It's what we're built on.
I wish more people understood this simple fact of human psychology. It's astonishing how often people will support some system that incentivizes bad behavior, and then act surprised when people behave badly.
What's more, when faced with this situation, these same people will resort to shaming the bad actors rather than fixing the broken system.
Aligning incentives properly is hard. I think a good example is about how to best incentivise General Practice medical care centres (UK NHS system). Patients seen? Patients in catchment area? Mortality/Morbidity rates? Patient outcomes (how you measure these is a rabbit hole of perverse incentives)...
Each and every idea has a logical optimum strategy for the trust to maximise income, and all of them aren't quite what you're trying to achieve. So you really want to blend some of these (and others) together in just the right mix, but without creating hundreds of hours of admin just to support the metrics.
Part of the problem is that the incentives are skewed. Visa has incentives to have a strong auditing trail and to perform constant audits because they bear part of the cost for fraud. Merchants are also heavily incented to carefully manage credit card data, because they are responsible for bearing much of the cost of fraud.
What are the incentives for voting machine manufacturers to do a good job? Engineering a trustworthy system is tough, and it's expensive. If the machines cost twice as much, no one will buy them and it won't matter if they're more secure. And the market itself is unhealthy. If you spend 10 million on voting machines, you won't replace them the next year even if a bunch of security issues surface. You'll "demand" the company fix them, they'll issue some half assed patch, and you'll go on using the junk you bought.
Bank accounts are verifiable: you can look at the list of withdrawals and check if there are any unexpected transaction, and whether the computed account balance corresponds to the sum of transactions. The concern with electronic voting machines is how to provide a way to check their work.
People steal identities to withdraw money from bank accounts and credit cards every day though, the consequences of fraud really aren't the same. It's easy to go back and fix the numbers in a bank account, and it's also pretty easy to notice there are transactions you didn't make and money is missing from your bank account, it's much harder to notice fraud when it just results in extra votes.
If a national ID (like your SSN) were implemented correctly with multiple verification steps, identity theft wouldn't be a problem. I know that's a fantasy that will never happen, but identity theft shouldn't have to be something people have to worry about. I shouldn't have to think about identity theft protection. Heck, it shouldn't even be a thing. If someone steals my identity, all they did was convince a clerk they were me. That's the business' fault, not mine.
That's not the same at all. Credit card transactions are auditable; just compare with the receipt. The same is not true of electronic voting machines with no paper trail.
What if the voting machines printed out a paper copy listing who you voted for that you could compare with a copy online listing who you voted for? It doesn't solve the problem of hacking electronic voting; that can only be solved by using paper votes. Sadly, until there's a mass voter fraud scandal, the majority of the public won't know or care about how vulnerable electronic voting is.
Voters should not be able to prove whom they voted for; enabling them to do so opens up the door to several kinds of fraud (vote buying, coercion, etc.).
There are some pretty neat solutions to this. One of them involves a double layer ballot+receipt. When viewed on top of each other, they spell out the vote, but alone the receipt will just give you enough information to see if your vote is counted or not:
Another scheme is giving away fake receipts in addition to or instead of "I voted" stickers.
OK VLM your boss needs a Trump receipt, your communist college professor needs a Clinton receipt, you need another Clinton receipt for facebook and github or they will delete your accounts, that'll be one R, three D, would you like any complimentary green party receipts? OK here's all your receipts thanks for voting see ya in 4 years!
Heck hand them out with the bake sale goods. Have a free set of pre-printed fake receipts for ALL the candidates with some delicious chocolate chip cookies that fund this schools PTA. "Could I interest you in this cageless chicken egg gluten free organic soy oil brownie with a complimentary fake green party receipt?"
The machines San Mateo County uses do that. After you've made all of your selections, your votes are printed on a paper roll which appear behind a window, with a big bar code at the bottom. If you approve, the paper is wound out of view so the next voter can't see it. You can reject the printed version and go back, in which case the paper is marked with CANCELLED or something similar.
At the bottom of each voter's paper roll entry is a big bar code. This allows quick recounts by running the paper roll through a machine that reads the bar codes. A full manual check is also possible, but slow. The system goes through miles of thermal paper for each election, but works OK.
In credit card transactions a certain percentage of theft is expected and accounted for. It's built in to the price of using credit cards and buying goods.
There's no way voting for candidates can account for vote theft in the same way.
We can see the transaction history and balance in financial accounts, and when there's a mistake we can and do get it corrected.
Don't forget that Wells Fargo was able to open millions of accounts without consumer authorization. So maybe financial accounts are less secure than you think.
I'm also surprised by blanket assertions that electronic voting is inherently bad. But I'm equally surprised by assertions that electronic voting is inherently good.
Banking systems are publicly verifiable. If your balance suddenly changes, you're going to know about it.
With electronic voting, any method of verifying your vote is incompatible with the principle of a secret ballot.
(edit: additionally, with paper ballots and adversarial scrutineers, every vote will certainly be counted properly as the people who stand to benefit(the politicians) can raise an issue if a ballot is being counted the wrong way. It's much less likely that every individual would verify their own vote).
The resistance for voting via software may really concern you, but the push for it really really concerns me...
The resistance isn't about the use of electronic systems for our elections but about the poor reliability and lack of transparency of the current systems. The vote count should be reliable and transparent. Is it to much to ask?
I think that helps, but only if there's a system in place to audit at least some percentage of the votes. When I voted in Mississippi, the voting machine wrote my results onto a roll of receipt paper. I have little confidence that anyone ever audited that paper.
While it may not have been audited, it at least has the potential to be audited, say, if there are questions regarding the validity of the outcome. That said, it would boost confidence if there some verification/auditing going on.
As a sibling comment mentioned, the mere potential for auditing increases the cost for a malicious actor to perform manipulations, since the chance of getting caught is higher, and the penalty for getting caught is potentially disastrous.
If you can't verify that the printed results have been counted correctly, it does not bring more guarantee. At least, the paper ballots should be kept and audited which is not the case in many States.
So instead of preparing paper ballots starting a month in advance, we try to print paper receipts for the millions of people who vote all on one night?
Well, the question is whether the increased safety (assuming your neighbour doesn't share your voting preference - I don't know if vote counting is usually done by two people from different parties, or something) is worth the increased cost. It seems unlikely to me.
It might be possible for aligned individuals to conspire, but it's unlikely.
When the community is sufficiently engaged, either you have differing political views and thus don't have to worry about conspiracy, or everyone has the same opinion and the conspiracy would just reinforce the true outcome.
Regardless, the possibility of that conspiracy is another great way to encourage participation. Republicans and Democrats both have an interest in the other side not tampering - combined that turns into a pretty strong interest in removing tampering altogether.
I'm not opposed to electronic voting but our systems seem to be really broken. There are a number of ways to handle this, all of which require strong transparent auditing.
The main reason I want to get sane electronic voting is so we can vote online from home. Given the inability of democrats and republicans to come up with any acceptable method of handling voter ID, though, I'm pretty confident that it won't happen for decades if ever. In the meantime at least my state does vote by mail.
I agree that a system that only has electronic records is very problematic. However, a system that includes a physical component (such as a paper ballot receipt) can be used as part of an electronic system to permit something that's auditable and verifiable.
ok, a receipt. How is this supposed to facilitate a recount? Not all voters will retain their receipts.
Not all voters will retained receipts will re-present them in the event of the need of a recount.
Are you saying a recount will be unnecessary if E2E is done properly?
I misspoke in saying "receipt". You're right that we can't rely on voters keeping their receipts for a recount. I meant a paper record of the vote kept in addition to the electronic record.
I'm not sure where I might have given the impression that a recount would not be necessary. A paper record makes a recount possible and the election system auditable.
The linked Wikipedia article on end-to-end auditable voting systems provides an overview and links to different methods of making voting systems more trustworthy. There's a lot of thought and details that go into it, and if it's something you're interested in, I suggest following up on some of the links and spending more time. I know it's taken me reading a lot of different articles and implementations, and I still need to look up different parts of it.
I did find this slide deck from Ron Rivest helpful:
"Auditability and Verifiability of Elections"
ACM-IEEE talk March 16, 2016
It seems pretty simple to me. Have the machine print a receipt that shows your info and who you voted for, have the voter check it over and sign it, and then have the voter hand it in before leaving the voting station. The receipt is really no different than a paper ballot at that point.
That's not to say that other security precautions can be ignored. Ideally I'd think there should be mature open-source software running on secure intranets for each voting station, and transparency at every level of the process, including better transparency in how those physical receipts are transported, handled, and stored.
Bear in mind that by requiring each voter to sign their ballot slip, you're reducing the anonymity of the election, since it's potentially possible to prove that you voted in a certain way to sell your vote.
Two systems. One assigns a unique a temporary code to you on arrival at the polling station, much like those "take a number" queues at places. Then another unconnected voting system with printable receipt.
Step 1) You queue, get a "Temporary Voting Id"
Step 2) Enter the booth, enter your "TVID"
Step 3) Vote
Step 4) The Machine prints your Receipt with your vote clearly visible and your TVID as local proof its you and your vote is right.
Step 5) You fold your printed ballot and put it in a box.
Step 6) You fold your ID Receipt and place that into a "Validation Box" as you leave.
Step 7) All machines keep and print a "Tally" used as the count.
Step 8) All ballots and validation id's are saved in boxes and shipped ready for recounts if needed, ID's can be matched to ballots to validate attendance and votes anonymously.
Bonus Step) ALL vote machine should produce a "Vote Audit" when asked that will show a full history of votes (without times and in random order) and the ID's used and ALL id generation machine should produce all vote id's generated (again without times and in random order)
You can stuff the receipt box with fake receipts just to culture jam. IF you're going to pre-print certified serial numbered receipts, why not ballots? I suppose jamming the receipt signal would be wise if you're otherwise hacking the vote. It certainly would be easy.
The UI of a #2 pencil and a pre-printed form is a lot simpler and easier to use and un-jammable compared to an e-voting machine printer. Also cheaper and harder to hack.
If you keep your ID receipt theoretically you could prove your vote and sell it. If you don't keep your receipt, they might toss out your vote and you'll be unable to prove it. There are cryptographically secure-ish ways to work this, mostly involving statistical security (I forget the exact term, the kind that makes engineers pull their hair out because the algo looks inefficient but the inefficiency is the source of the security)
Even worse I assume multiple votes per TVID would overwrite the previous vote to handle user interface mistakes (see above, why must we use a complicated electronic UI instead of a #2 pencil and paper UI?). So any poll worker with access to the unshredded TVID has root password and can change everyones vote at their leisure.
You should have inserted the votes into a networked blockchain so people can ask WTF if 50 votes are changed ten minutes after the polls are officially closed. Or people could ask WTF when district #239 is the only district to have 50 revotes more than five minutes after the original vote. And the blockchain would store the former pre-tampering ballot which might be handy once the corruption is identified.
Of course it'll be fun to link the timestamped blockchain to CCTV cameras everywhere, so if you timestampped blockchain you no longer have anonymous voting, every ballot is now linked to license plates and face pictures, thank you "war on fake terror".
If the TVID is not cryptographically secure you don't need access to the box of stored TVIDs, because I see they handed #200 to me, #201 is next on the table, why shouldn't I type in and "correct" votes for TVID #190, #191, #192, #193 ... while standing in my private booth?
If I walk out the door with a cryptographically secure verified TVID and just toss a blank piece of paper into the TVID disposal box, then I can sell my TVID to someone for money or booze or sex, then dude walks in with my TVID, gets one of his own, votes for the two of us. You'd need to timestamp each TVID for a limited validation time. I could see management at companies requiring people to hand in their TVIDs to get their timecards or paychecks. Or at soup kitchens. Or crooked cops, or especially college professors. Imagine trying to explain you can't give your TVID to your feminist studies professor because your african world heritage professor already took it, which class do you accept the "F" in?
Essentially with TVIDs you're trying to implement Kerberos tickets which is tricky enough for computers, much less 80 year old deaf poll workers who dropped out of high school during the great depression and have never touched a computer. Every security hole or bug thats ever existed in Kerberos needs patching.
There are so many problems I'm kinda bored right now, but I can tell CCTV attacks and cellphone camera based attacks are going to be a very interesting problem. Essentially any security guard with a high res camera pix of the stack of TVIDs has root over your system, I think. If the TVIDs are preprinted any corrupt person with physical access to them before the election or before the recount anyway, who owns a cellphone camera or has access to a photocopier has root. Big data attacks might be possible, "sell" memorized TVID number to the bartender as part of a "I voted so now I get a free shot" sounds very much like democracy boosterism until the employer collects memorized ballot receipt number for their own parallel "I voted so I get a free ice cream cone at work" ...
The gold standard, which has been deployed where I live for a couple decades now, is to skip all the e-voting network touchscreen foolishness and simply fill out an optical scantron sheet like the tests you probably filled out in school.
The last step of voting is inserting the ballot into the scantron machine. Valid ballots are eaten, invalid are kicked back out at you.
Theoretically the machine can output running totals at any time, and if you've never seen an optical scanner in action you'll be surprised how fast it can scan and grade a classrooms worth of multiple guess tests, less than a minute to scan and process perhaps a hundred tests, so a thousand people living in my voting district is not exactly a data processing challenge. The votes can obviously be counted by hand of course, they're just custom printed multiple guess test sheets.
Optically scanned paper tapes and punch cards were contemporary in the 60s and optical scantron machines appeared shortly after. I'd estimate my state converted from mechanical voting machines and mimeograph machines to scantrons and photocopiers about the same time, lets say 1980 although maybe as late as 1984 or earlier in the 70s. I distinctly remember watching my parents vote one last time on an old fashioned voting machine when I was a little kid, probably voting for Nixon, may have been Reagan but I'd have been too old by then, I think. Old fashioned mechanical voting machines were cool and steam punk ish in appearance.
Its such a simple, cheap, reliable system that it almost leads credence to claims that elections are being intentionally rigged. Its hard to explain otherwise why something so cheap simple and logical is being covered up and so few people know about it. Ironically I live in a non-swing state in a gerrymandered district so my vote has never mattered and never will, but at least if I ever get a chance to influence politics via voting, its pretty obvious my vote would be counted fairly.
Not that I'd hold the UK up as a good example of democracy, but here there is a unique ID on each ballot paper that is noted down on a list next to your name when you vote. The ID/name list is kept securely, but can be used to find a voter's ballot paper later in the case of a dispute over the result or fraud.
Receipts are retained by the guys holding the election, not the voters. A physical record of which way a vote was cast would be an excellent way of enabling bribery of voters, and no sane system would allow it.
That's also why photographing a ballot paper is usually banned in polling stations.
Not in Mexico, vote buying is pretty common. But over here it pretty much relies on the fact that poorer folk don't know your vote is completely anonymous. They'll tell you sure I'll give you money, a TV, cellphone, whatever. But I will find out if you don't vote for me, and most simply believe it.
And in the latest election where the incumbent party lost, It was pretty publicized that they went to a lot of the poorer colonies to try and get their money, cell phones and tvs back. All quickly forgotten as soon as the media got a whiff of it.
Buying votes in a first world country probably isn't possible as most people are somewhat (and probably wrongly) educated on the topic, and hold pretty firm views on it. However, it's a piece of pie on mostly illiterate people. Even then, people get tired, see the latest elections in Mexico.
Electronic voting can mean different things as computers can plan different roles in the voting process. For example, just in terms of recording votes, we have
- internet voting
- touch screen voting
- optical scan voting
Computers can also be used in other roles, such as voter verification, vote tabulation, and results transmission, result verification, and auditing.
With only paper ballots, arbitrary vote verification is likely to be a tedious process, if possible at all. Cryptographic methods such as homomorphic tallying can ensure vote secrecy and vote verifiation. This can also provide stronger guarantees of chain of custody integrity by verifying voter receipts or cast paper ballots are included in the final tally. With only paper ballots, trust that a given cast ballot is included in the result relies on trust in those doing the tallying and the chain of custody of the ballots themselves.
One could imply from the phrasing of your question that you have reservations about any benefits electronic voting might have. What's your take?
I fail to see how the benefits outweigh the added complexity and lack of trust.
Optical scan is the only above mentioned method that can be verified by laypeople.
Also, although a tedious process, paper voting has worked for quite some time. Centuries?
Chain of custody will always be a problem, whether it be source code to a compile runtime, or paper ballots.
However, the potential for abuse seems less likely for a more manual process.
A voter signs in to vote, so we know how many voters to reconcile to the same number of ballots. If we have more ballots cast than signed in votes, we have a problem.
Additionally, ballots are serialized, though not associated with any particular individual. So we know what ballots were used and unused. If we find multiple ballots with the same serial number, we know there is a problem, too.
Voting should not rely on a blackbox algorithm. The majority of the voting public can count pieces of paper, but can they understand and verify code running on a device?
Who cares if it saves time, particularly at the cost of transparency and trust?
My question to you is, what problem did electronic voting solve (as implemented in the US), that needed solving?
One method of avoiding fraud in electronic voting systems is double-voting. It goes as follows:
- Wait until all electronic ballots are set up in their zones in election day.
- Randomly (this can be even done in a public, audited draw) select a few ballots to test.
- Remove those ballots from use and replace them with spares.
- Now, somebody publicily double votes on the tested ballot: they publicily vote for candaidate X in the ballot, and on paper (although just showing the vote allows any observer to keep count indefinetely).
- At the end of the test, print the count from the tested ballot and verify that it is accurate to the publicily counted votes.
What do you think about this?
IMO, while not totally fool-proof, this brings the cost of manipulating electronic elections rather close to paper elections, if the following assumptions hold:
- The draw is fair, so a malicious actor could not program only the selected ballots to be fair;
- The chain of custody of the ballot is solid (easy to do if there are party auditors that never lose sight of the ballots), or that the ballot is not moved out of the sight of the public instead;
- There's no available method to make the ballot know it's being tested, and change its behavior (like in the VW emissions scandal).
The last point is tougher, although auditable source code, code-signing, and reproduction of as many 'true' conditions as the real election (same duration, same time, same voting frequency, etc, maybe going as far as to randomly select normal voters to participate in the process).
My question is why? Why is everyone so eager to replace paper ballots? What problem does electronic voting solve?
Paper votes work, and they work well. Besides the obvious downside of needing to wait for them to be counted, they are safe, open, they don't break down, they can't be hacked, anyone can verify them, and they are 100% anonymous.
At worst, you'd need many people to collude to stuff a single ballot box in a single district, and even that can be thwarted by a single person watching the ballot box all day.
If we presume that the promoters of the idea are intelligent and understand the consequences, then why is it not reasonable to think that the ability to affect elections or otherwise weaken the electoral system is the gain they seek?
I feel that misunderstanding and ignorance is more to blame than malice.
Many programmers know about the "beauty" of encryption and secure voting algorithms. They know that open source works, and it's really tempting to try and think up a system that is "perfect" and can't be gamed by anyone.
But this is an instance where messier and less "perfect" is better, because the absolute worst case scenario of being able to actually change the election is so much harder with paper, and anything less than that worst case scenario doesn't change anything (and still has all of the risks and downsides).
I personally am eager to replace paper ballots with electronic in a vastly different voting system. But it would have to be a cryptographically sound electronic voting system that runs as open source on the users machines and is publicly verifiable.
The reason I want this is because it allows much more fine-grained voting. My ideal democracy is a direct democracy where every voter can, if he/she chooses, to vote on arbitrary issues, but _delegate_ their vote to someone else by default. As an example: "I politically align with Bernie Sanders, so I want by default my vote to delegate to whatever he's voting for, but for issue X I vote Y."
In an ideal world you could even delegate votes based on "tags", e.g. for Internal Affairs you choose X, and Economy Y, etc. But that seems fairly easy to manipulate by whoever is assigning the tags to issues.
There are a lot of unresolved issues around the notion of direct democracy. Referenda prove this point — e.g., the Brexit referendum and the EU-Ukraine association pact referendum in the Netherlands. In both cases media and pressure groups hijacked the process of forming an objective informed opinion, and in the Dutch case most people didn't even fully grasp what they were voting for — they just voted against out of discontent.
I am sure that there are ways to improve citizen participation in the democratic system, but directly voting on issues is not going to give us the sensible behaviour you might hope for. Representational democracy exists in part to prevent minorities from abuse by any majority — with direct democracy you eliminate that protection.
I am aware of the issues of direct democracy, but my hope is that the "defer by default" prevents most of the issues. On top of that there'd have to be education that makes people wary of others that try to convince them to specifically vote for issues that they didn't have a strong opinion on before.
Electronic voting makes superior voting systems like condorcet methods possible. Paper ballots are only really best at first past the post, which is by far the worst system of voting.
germany has no first past the post election system and elections here work perfectly fine using paper ballots. On a regional level, elections can actually get quite complicated with options to strike candidates and add multiple votes to a candidate.
It's certainly more work to count those votes, but on the other hand, everybody is entitled to go check the vote count and everybody can do so with no technical knowledge needed. Any system that requires the observer to be firm in a given piece of technology is not a superior system since it removes peoples ability to exert their right to check the public vote.
I was wrong, you can implement some alternative vote systems with paper ballots (and more work for the vote counters.) I don't like those systems personally, as I mentioned in the above comment. I don't think it would be possible to implement a system I do like, like condorcet voting, without mechanically counting votes.
Equally mysteriously in the definition games, optical scanned paper ballots are never considered the same as electronic voting, although its possibly the only unhackable cheap system out there, and its just as fast, if not faster.
Also frankly more people are familiar with the UI of "#2 pencil and piece of paper" than any electronic UI I can think of or imagine, which is somewhat damning for cultural reasons on this site resulting in it being double plus ungood badthink to imply anything could be superior to contemporary trends in web and phone app UIs.
I don't think OCR is reliable or trustable enough for election software. Even the best humans and machine OCRs mistake some percent of written numbers.
I was curious if we were running into a millennial vs old timer situation, I googled to verify, and the ballots I'm talking about and the OCR-ish technology used is exactly the same as ACT and SAT tests still in use. Although I read that for many years they have been planning to move online "soon" as you'd expect.
"Fill in the correct bubble" was very new technology when I was a young adult, apparently its still in use.
One handy thing about the ballot eater machine, as a voter, is I feed it a valid ballot and it emits a happy cartoonish beep song while eating and storing my ballot for later hand recounting, and feed it an invalid or questionable ballot and it immediately kicks it back at you with musical accompaniment indicating R2D2 is clearly not amused. The OCR contrast settings can be messed with such that anything even slightly questionable (erasures, etc) will simply not be accepted. The paper ballots being cheap and the technology being easy to understand, the poll workers simply give the voter a new ballot.
I was thinking of ranked ballots, where you write a number based on the rank you give a candidate. If you just want to fill in bubbles that's much more reliable. But creates more complex ballots.
My ideal system would have a voting machine that handles the complexity and fills in the bubbles for you. Then prints it out and let's you inspect it, and turn it in like a normal ballot.
Nonsense. There are plenty of fairer voting methods that can, and do, use paper ballots. STV, Additional Member systems, Party List systems. These are in use throughout the world for national elections.
All of those would require changing the constitution and the structure of congress (basically impossible), and wouldn't work on things like presidential elections to begin with.
I also have other issues with them. Like runoff voting systems drop a moderate candidate that most people would prefer in a 1 on 1 election, but isn't listed as enough people's second vote. Resulting in more extreme, less liked, candidates getting elected. It's better than FPTP, but not by much.
If I understand this correctly, you want to randomly force some-one to make their vote public.
This makes voter intimidation real easy. Just say: "if anyone's vote is made public and not for candidate X, I will murder them and their family". That basically turns voting for candidate Y into gambling with the life of your entire family.
The votes in the tested ballots are not counted in the election itself. A member of the public can secretly vote for their preferred candidate, and vote for an entirely different candidate in the auditing.
There's a strangely convoluted yet simpler solution where half the ballots are filled in by a poll worker rolling DnD dice and half are filled out by the voter. Voter puts their two ballots into random two piles. Then count and publish a random half the ballots and shred the other half stack. Each voter knows and can prove to anyone that at least one of two known votes was correctly counted but can't prove if the ballot was filled out by voter or poll worker using dice. Assuming the DnD dice the poll worker used are fair, the result of the election will not vary especially in our highly gerrymandered non swing states. You'd need some statistical math to prove if half the votes are purely random and the results are 50.0001 vs 49.999 then you need (or don't need?) to rerun the election. Very few peoples votes matter and in those district they might have to rerun a couple times to get statistically verifiable results.
This helps with ballot stuffing, if 200 voters in the district verified their vote and election monitors counted about 200 people walked thru the door but the corrupt system published half the ballots online and theres 500 of them implying 1000 voters, well, someone faked an extra 800 voters.
The problem is complicated and you can't actually use DnD dice because most disenfrancised voters fill out straight ticket ballots and are therefore not part of the decision making fraction of the population, so someone could pay or punish based on votes exactly half their victims who don't have a ballot that looks like it was made by a purely random dnd dice roller. So you actually have to figure the percentage of people last time around who voted like whatever logical scheme, then make the poll worker fill in ballots that look like a reasonable ballot from last time around. "VLM you get serial number 200 and I as poll worker fill out serial number 201 and looks like your "random" historical voter for 201 is straight ticket R"
Also you can't let the voter pick the ballot he fills out because then Mr bad guy can kill any odd serial numbered voter for Trump because he told his employees or students or whatever they must select and vote the odd one never the even one, so half the random ballots being odd means trouble for half the voters. Face down pick one might be OK.
Note that under this scheme it might be safe to even publish the name of both ballots, just so long as a random half get shredded.
Any individual poll worker with a photographic memory could theoretically sell a list of ballots he filled out vs the voter filled out but its purely he-said-she-said and the poll workers memorization job will be hundreds of times larger than a voters memorization job so I think it incredibly likely the voter will be trusted to lie as best serves him rather than the poll worker be trusted to tell the truth.
How the random half get shredded is likely going to be a sticking point. It has to be visually enforced the entire voting period that each voter puts one ballot in one pile and one in the other and when polls close the observers do a coin flipping cryptographic protocol and immediately shred one random stack. You can't shuffle them all and then shred or whatever. Someone putting both ballots in one pile will screw things up. There are trivial ways to enforce this of course.
A list of all my historical published votes would after decades provide a random signal and a pattern of my own voting. However my own voting makes a random signal for some other dude, and today any goofball who wants to discriminate can pull the district records and know the couple hundred of us who vote here always vote about 80% R so although discrimination would be possible it wouldn't be any easier or more effective than it is today anyway. Go ahead, knowing nothing other than I live in an 80% R district take a guess what I usually vote...
Technically this scheme disenfranchises a completely random half the population. Well, since only half the populatio...
Another interesting thing I cam across is [ThreeBalot](https://en.wikipedia.org/wiki/ThreeBallot). It has some non-obvious but solvable issues with non-binary votes (essentially like your system).
A weakness I see in both your system and ThreeBalot, is the need to trust in some decision maker to act correctly. You need the poll worker to actually work randomly (and not have awesome memory), ThreeBalot needs a way to confirm ballots are entered correctly.
I think the biggest sticking point with your system is the random aspect. We are essentially introducing noise into the votes. The noise might be negligible, but it impacts people's perception massively. There is also the challenge issue, because you'd need some arbitrary cut-off on the probability of the noise being to large. After all, the chance is technically nonzero that all random votes went the same way, and only the random votes were counted.
This is why we need a national electronic system using open source code. Each citizen of the republic should be assigned a citizen identification number and a second factor (password or fingerprint). We all go to a web site to vote. Voting opens for seven days, and closes at midnight PST the final day. Results are announced immediately afterword. It's time for the electoral college to be retired.
Anyone can count along with a ballot box. Anyone can stand there all day and watch the box to ensure there is no tampering, they can count, recount, and recount again. Anyone can do this. Plumbers, programmers, doctors, the unemployed, the elderly, and even the illiterate. It can be counted by one person, or 100.
But when things go electronic, the number of people that can even understand it is cut down to programmers. And the number of those that could accurately vet the security of a program is even smaller. And even a perfect electronic system needs loopholes (you can't just disenfranchise voters because they forgot their password or don't have a computer), which means the ability of fraud is still there.
Paper works, and takes a LOT of resources to sway even one precinct (even just the fact that it requires purchase of physical materials ups the amount of cover up required), let alone a county, state, or the federal levels. And because of the number of people involved, if someone did try the chances they would be found out is pretty damn high.
The only people that understand the banking software are programmers and whole world runs on it every second of every day and you're worried about using software to count votes?
Anyway, acting like paper voting stop fraud is just... blind. If you think people as well connected and funded (and motivated!) as our politicians can't move the right pieces of paper to the right places with the right people, you're insane.
The only people that understand crypto are mathematicians but I'll stick to encrypting my electronic messages.
Also, I really like this:
"Anyone can count along with a ballot box. Anyone can stand there all day and watch the box to ensure there is no tampering, they can count, recount, and recount again. Anyone can do this. Plumbers, programmers, doctors, the unemployed, the elderly, and even the illiterate. It can be counted by one person, or 100."
No voter left behind lol, if not everyone can do it, we can't trust it.
> with polling locations distributed to balance load
Better yet, do mail-in voting. It works fine for several states already, and all of them see strong correlation with voter participation, unsurprisingly. It's also cheaper. And keep a few basic polling locations around as a fallback for those unable or unwilling to deal with mail.
How do those states that use mail-in ballots deal with the delay that introduces? Must the ballots be post-marked in advance of the election to count? Or, do they defer calling elections until days after the election?
It varies. In Oregon, any ballot that is received by the post office by the cut-off date (8pm election day) is counted. In Washington, it's as you've described - any ballot postmarked by election day are counted, so it takes a few days to fully count everything.
Mail in voting can disenfranchise those without a permanent address though, which is an issue to be considered.
And then there's the cases of voting papers being dumped rather than delivered to constituents. And the possibility of tampering with the votes in the mailing system. It wouldn't be hard for malicious actors to toss out papers in majority Republican or Democrat areas to attempt to sway the election.
And having "a few" polling stations would mean that they are further apart and less accessible for people, especially poorer people who don't have the same means and time for transport.
"all of them see strong correlation with voter participation"
Yeah I bet. Your boss will trade your mail in ballot for your paycheck this week. Turn it in with your calculus exam for 5 bonus points. Don't forget to take your ballot to Bible study group this Sunday, we're going to fill them out together to make sure we do it correctly. If you're in a nursing home just hand it to your favorite nurse, after all she's in charge of your medication so you have motivation to keep her happy. Your postman will simply toss it out if he doesn't like your vote but he does have a bid out for $5 if you'd like to sell, because one of the local parties is buying from him for $10 per ballot. On the other hand the gas station clerk down the street is offering $9 because his margins are lower and he paid off the cops like he paid off the health inspector and he's easier to get in touch with.
I suppose if all the dollars are concentrating in ever fewer hands, we need some kind of paper currency, and if they'd allow early voting up to perhaps 3 years and 364 days before the next election... Its possibly the only way we'll ever see the government getting a form of currency into the general public's hands to boost economic activity rather than just bailing out the bankers as usual.
Mail in is fairly banana republic tier. Its kinda like drug legalization, yeah that stuff isn't good for you, but at least if its above board and semi legalized then at least we can observe and track it, kinda, rather than underground and out of control. Actually its more like a red light district, the only way to make it worse would be to drive it underground. At least looking at vote totals we can tell how corrupt an election is based on level of mail in voting rather than knowing its bad but not how bad in total.
Your boss doesn't need to ask you to trade in your ballot for that. They just need to tell you to take a photo of your filled ballot, inside the booth, before you go and stuff it into the box. Which is exactly what they do in countries where it's a problem.
At the same time, I'm not aware of literally a single complaint about this kind of thing in US states that practice mail-in voting...
And drug legalization is "banana republic tier", really? No. It's a recognition that "this stuff isn't good for you" is not a sound basis for passing laws, for one thing - and for another, it turned out that a lot of "isn't good" was just plain out lies and misdirection.
I mean, seriously, are you saying that WA and OR are banana republics?
I hugely support electronic voting. Electronic voting makes it possible to implement superior voting methods, like condorcet systems. These systems are difficult or impossible to implement by hand, but trivial to do with a computer.
Properly done, a voting machine doesn't need to do anything more than count and tabulate. You press a button, and it adds a new vote to it's table. The vote could be printed out on paper. It could even be done via punch cards first, and then fed into the voting machine (which makes the process more inspectable by humans.)
The voting machine need not know what each candidate even is, what party they are, just assign them numbers. And it doesn't need to receive updates, or have any method of input other than reading punched cards or a voter pressing a button. It certainly doesn't need to be based on windows XP and have usb inputs. It certainly shouldn't send votes over wifi.
What would you prefer, a Condorcet election which nobody believes is fair or FPTP election where everyone can count the ballots?
I think pushing for "superior voting systems" is really allowing the best to be the enemy of the good here. STV is perfectly doable by hand. AMS is only fractionally more complicated than FPTP. But most US elections (and the UK parliamentary ones, although none of the other kinds of election in the UK) are FPTP.
Let's not allow the desire for better voting systems to be tied to untrustworthy technology.
Edit: the barrier for getting a system adopted has to be "can you explain this to a partisan of the opposing faction with a high school education, and get them to agree that it's fair?"
If you read my comment, you see I don't believe these are mutually exclusive at all. There's no reason a voting machine could be made reasonably tamper proof. Or at the very least, air gapped and uncaring of the names of the candidate. It literally only needs to be a tabulating machine for punched cards, or something similar.
I really dislike instant runoff voting and similar systems like STV. They are better than FPTP, but not by much. One big issue is discussed here: https://www.youtube.com/watch?v=7Q7rzqJ0YS8 But my main concern is they might tend to elect more extreme candidates, because they quickly drop candidates that don't have enough first votes, even if they are everyone's second vote.
Ideal election system > paper count with representatives of the party > actually existing electronic voting.
The problems of actual existing electronic voting are a microcosm of bigger problems. We get insecure, ineffective voting machines because procurement is difficult and tends to be captured by lobbyists.
Condorcet superiority seems not all that important in practice: http://www.fairvote.org/why-the-condorcet-criterion-is-less-... , and if you have suitable multi-member constituencies for STV then you tend to end up with a couple of "extremists" and a large group of moderates in the middle.
Again, let's not let the best be the enemy of the good.
The article you linked to goes on and on about the exact issue I mentioned. IRV tends to select for extremist candidates. Condorcet methods tend to punish them. The article tries to defend this, but I see this as a very bad outcome. Extremist candidates can do much more harm than good. Centrist candidates are more rational and tend to be less likely to do crazy things. Condorcet methods ensure the winner will be the best possible compromise, IRV gives very inconsistent behavior but can favor extremists, but can also punish third parties (IRV still suffers from vote splitting in many cases, see video I posted.)
Why not a hybrid? Anonymous paper ballots counted by machines. First, you enter your vote in a machine and it spits out a punch card. The punch card must have a single hole on it clearly corresponding to choice X, or no holes and a name printed in OCR type in case of a write-in vote. The punch cards are collected and then taken to a vote counting machine which tallies the votes with no knowledge of voter identities.
Basically the problem is with data being kept in an opaque digital database, not with vote tallying being done by a machine. If we can keep the database in a form that's untamperable and final, there's no problem with using machines to do the vote counting.
@hellbanned user, that's a good idea and seems to solve the problem. The voting machine just producing punch cards for a separate counting machine allows for easy human inspection of votes and auditing. I think such a system would be pretty secure.
Don't throw the baby out with the bath water. Just because current electronic voting is bad, doesn't mean it has to be.
There is even a theorem that, under plausible models of voter strategy, Approval Voting will tend to elect Condorcet winners (i.e. candidates who beat all rivals by a head-to-head majority).
Any electronic voting system needs one simple feature. While it may be impossible to hand check all of the voting machines, it must be possible to hand check any given voting machine with absolute certainty.
I think recent history has shown this hasn't worked out quite that well in many cases, and that in other cases was easily manipulated for purposes of fraud. There are entire sections of various law enforcement agencies that focus on this very topic.
>> Operate and monitor medical equipment
What would be the benefit of manipulating this?
>> Monitor and control planes, trains, ships, and cars
What would be the benefit of manipulating this?
I would second guess anything that uses a computer to keep a record of something that someone would have a direct benefit if manipulated. It's not a matter of whether it works or not, it's a matter of how easy is it to manipulate for a particular goal.
I can only see the benefit of a targeted assassination for a very specific subset of a subset of a subset of people, not large scale killing of people. Warfare maybe? For fun? Not as obvious as fraud for monetary gain, there is a scale issue to consider.
I worry more over bugs that kill people on the operating table or in the air as opposed to someone manipulating the equipment for some unknown benefit.
> Warfare maybe? For fun? Not as obvious as fraud for monetary gain
Wars are extremely profitable for some.
> I think you're exaggerating just a bit.
I think you are being myopic. We trust computers with thousands of important tasks. If we can't trust them for voting, we really have to reconsider their usefulness.
But, reading back over the posts I see that I introduced the concept of warfare even though the original points I questioned did not. So, back to my first questions; who benefits from manipulating medical and aircraft equipment on a large enough scale to be compared to potential financial fraud?
Wait, targeted assassination that starts a war... That's been done before, but unlikely.
>> If we can't trust them for voting, we really have to reconsider their usefulness.
It's not that I don't trust the computers, it's that I don't trust people.
I assumed "killing people" was broad enough to include obvious cases such as war :)
> So, back to my first questions; who benefits from manipulating medical and aircraft equipment on a large enough scale to be compared to potential financial fraud
Competing corporations via corporate espionage. A targeted hack against Siemens infusion pumps would force hospitals to consider alternatives.
> It's not that I don't trust the computers, it's that I don't trust people.
Every system in the world has been created by people with their own biases and faults. If we are really going down that path, then you must seriously consider going off the grid.
Banks, hospitals, airlines, rail systems, and automakers are all on the hook - if their system does the wrong thing, someone will notice the unbalanced books, bodies, or wreckage (other banks, Treasury, NTSB, NHTSA), and the institution will suffer serious harm.
How will you know if an electronic voting system produces a wrong result, except by running a paper voting system in parallel?
Do municipalities choosing voting machine contractors have incentives aligned to promote election integrity? Can they critically evaluate security properties of what they're being sold?
The republic is experiencing significant harm. If it was not, people would not be talking about it.
> How will you know if an electronic voting system produces a wrong result, except by running a paper voting system in parallel?
Audits? Open Source? Checksums? Hashes? We have many tools to verify the integrity of electronic data (I also never claimed it had to 100% digital)
> Do municipalities choosing voting machine contractors have incentives aligned to promote election integrity? Can they critically evaluate security properties of what they're being sold
If the choice is federally verified company A or federally verified company B, then yes.
I gotta wonder: if this was really a way someone was trying to steal an election...why would they bother?
Once you have thoroughly owned the voting machine system and can set weights why not, I don't know, just ignore the counted ballots entirely and report the totals as whatever you want?
If you go too far down the rabbit hole, you'll find that's what some folks believe. Been there, got the t-shirt. Ultimately not sure where I stand now.
I think the idea is that you want the results to "match-up" with exit polls and number of voters.
I assume it adjusts the proportionality so the sum total remains the same, and ballot questions that the hijacker is not concerned with are not skewed.
Since you have no idea how many people will vote until the conclusion, if you wait until after the conclusion to modify results, it would be more obvious and difficult.
I'm not sure that storing ints would be more resistant to fraud than storing as doubles. You could easily manipulate the vote by randomly switching X% of votes like so:
if wrongVote && rand() < X:
FlipVote()
This would have the same effect as fractional voting, even if you store as integers.
But that would be easily detected by looking at the source code or disassembly. I think the concern here is that the "weighted" election mode provides an easy way to manipulate election outcomes while providing deniability ("oh, that code is just used for weighted elections in California").
Wait, are there actual states in the US that use weighted elections? I thought the whole point of the US's system is that (ideally) every citizen has as much say as anyone else.
Apparently California has a system (Proposition 218) where local government can impose certain property taxes, but such taxes have to be approved by a 2/3 majority of property owners, and the vote is weighted by the amount of property they own.
there are cryptographic voting systems that would allow results to be verifiable and for voters to verify their vote was counted. That and FOSS voting software would probably help .
The paper ballots that caused the 2000 debacle really wasn't any better the problems with e-voting we have today. The problem isn't the medium of voting but who is in charge of creating and maintaining the ballots.
The paper ballots that were punch cards caused problems.
The paper ballots that were marked and optically scanned caused no problems and were easy and fast to recount.
Some counties in FL had the old punch card ballots, some had the optically scanned. All of the problems were with the punch card ballots. And with the lawyers arguing over hanging chads and other nonsense.
You're also forgetting about the butterfly ballots that confused voters because of their design. A large number of voters claimed they voted for the wrong person because of it.
Paper ballots works well in every European democracies and is far more transparent and secured than the electronic machines we have today. As a matter of fact, Germany has tested electronic machines but went back to paper ballots to preserve the reliability of the vote. The article doesn't just cast the doubt on electronic voting machines, it shows they are set-up to enable election fraud. How many more proofs is needed to convince voters that sadly, elections results can't be trust?
The rationale is to allow anybody to audit the system, so that soundness of the design can be proven against an adversary with perfect knowledge of it.
And yet Americans let companies enforce intellectual property rights over systems whose security (flaws) could change your vote...
> They allow “weighting” of races. Weighting a race removes the principle of “one person-one vote” to allow some votes to be counted as less than one or more than one.
This is extremely inflammatory language. What I think they mean is:
> They allow “weighting” of electoral contests. Weighting an electoral contest removes the principle of “one person-one vote” to allow some votes to be counted as less than one or more than one.
However, what they wrote seems to heavily imply a racial bias to electronic elections. Why they would choose to use such racially charged language around such a benign topic at this time seems only to drive links to their site over such a non-controversial issue.
I think they're using "race" in the contest/competition sense, aren't they? For other uses in the article:
"The “Summary” vote tally, which provides overall election totals for each race on Election Night"
and
"Presidential race in an entire state switched in four seconds"
Granted, they could have chosen other language that's less likely to be misconstrued. As for the choice of language, I don't think the article is all that well written (for another example, mixing "fractional" and "decimal" to mean the same thing). I don't think there was that much thought put into the language.
There have been many statistical analysis pointing out to potential election fraud due to the electronic counting of the votes. For those who missed it, here is a comprehensive report on potential election fraud during recent Democratic primaries: http://www.election-justice-usa.org/Democracy_Lost_Update1_E...
The last part is related to the electronic counting of the votes. Here what Fritz Scheuren, the 100th President of the American Statistical Association, had to say on the Democratic primaries “as a statistician, I find the results of the 2016 primary voting unusual. In fact, I found the patterns unexpected [and even] suspicious. There is a greater degree of smoothness in the outcomes than the roughness that is typical in raw/real data […] the difference between the reported totals, and our best estimate of the actual vote, varies considerably from state to state. However these differences are significant—sometimes more than 10%—and could change the outcome of the election”
I read part 1,2,3,4 and found multiple issues with this article. In part 2 they show results for alaska with fractional numbers. What isn't clear is that it's actually results from part 4 where they edited the access DB to change the numbers to match set percentages they wanted.
Second reading those emails in part 2 it seems they are discussing that the per candidate numbers in weighted elections (when the machines are used for those) then adding them they show totals with one less digit. But that only matters if they have fractional parts which they haven't shown to have happened in a real election.
There doesn't seem to be any proof of actual fraud here. Just a bunch of suppositions.
This is really disturbing. We need a DARPA-challenge level effort to get some better solutions designed for this.
It can't be that hard. A git repo per machine, recording an audit trail further verified by the block chain, could be the start of a solution, for example.
It's sad that elections, one of the most important things we have here in America are ran on closed sourced copyrighted systems owned by corporations. They say it's rigged, I would hope it's not but really who knows if they don't have access to the code?
I think it would be nice to have the source code open for review. However, that doesn't solve the problem. It's very difficult (impossible?) to guarantee the reviewed software is what's actually running on the machines, not to mention how does one validate the compilation, the OS, the firmware, the hardware—you get the picture. And the voting machine itself is only one part of the whole voting system.
It sounds like this is something you're interested in. I encourage you to take a look at what's being done. I've shared a couple of links elsewhere in this thread, which if nothing else can provide a starting point.
Yeah good point. Hashing the binary wouldn't really help because they could modify the GUI to report the wrong hash and most people who aren't computer people wouldn't really get what it means anyways.
I been thinking a blockchain based system would be interesting, but it'd have to be really easy to use for everyone. People who have no computer or phone all the way to the computer expert.
I think blockchain might have some application, but I'm unconvinced that computer technology alone is going to solve it. Have a look at this slide deck from Ron Rivest (of RSA fame).
What would be wrong with a voting machine assigning you a UUID that you can print out and verify your vote on a website where everyone else's 100 million votes are displayed?
When ballots are not secret, they can influenced by social, political, or economic actors through punishment and reward. For example, voters in many places used to face extreme peril if they voted against the candidate picked by their social group, party, or union. This peril ranged from reduced social standing, to loss of employment, and even physical violence. As such coercion is contrary to the democratic objectives of an election, secret ballots were introduced to ensure ballots represent the free will of the voters.
There are mechanisms by which one could both keep the ballot secret and allow a public tally. But to avoid hacking, like the floating-point vote-value in GEMS outlined in another story, the system does require bullet-proof crypto.
Regardless of how the ballots are counted, I do believe there should always be paper backups, scanned, and filed so that citizens can examine them digitally and in person if necessary. With that system one could spot-check any suspected irregularity. Only with such physical redundancy would I trust digital voting systems at this point.
Sometimes there's no substitute for good old dead trees.
Article 21.3 of the Universal Declaration of Human Rights states, "The will of the people...shall be expressed in periodic and genuine elections which...shall be held by secret vote or by equivalent free voting procedures."[19]
Article 23 of the American Convention on Human Rights (the Pact of San Jose, Costa Rica) grants to every citizen of member states of the Organization of American States the right and opportunity "to vote and to be elected in genuine periodic elections, which shall be by universal and equal suffrange and by secret ballot that guarantees the free expression of the will of the voters".[20]
Paragraph 7.4 of the Document of the Copenhagen Meeting of the Conference on the Human Dimension of the CSCE, obligates the member states of the Organization for Security and Cooperation in Europe to "ensure that votes are cast by secret ballot or by equivalent free voting procedure, and that they are counted and reported honestly with the official results made public."[21]
Article 5 of the Convention on the Standards of Democratic Elections, Electoral Rights and Freedoms in the Member States of the Commonwealth of Independent States obligates electoral bodies not to perform "any action violating the principle of voter's secret will expression."[22]
You still have to trust the machine that prints it. Which, I will admit, is still better than the current system. However, there are public ledger voting systems with stronger anonymity guarantees. So, my opinion is that if we're going to do it all over again, we might as well do it right.
Good point. That'd be an issue with any verification system isn't it?
Edit to add: If you can confirm that all of the ids are unique and that the total number of ids are correct, that would go a long way towards verification, along with checking arbitrary receipts against the results, regardless if the ids are pre-printed or printed afterward.
I'd prefer not having any printers involved though. Pre-printed ballots would work just fine and there's one less piece of equipment involved during the actual vote.
You send it to the person who it belongs to. Then when the want to check if their vote went through properly, they can look up the vote that corresponds to their UUID.
Okay. What prevents someone else from accessing the UUID, either before or after its sent to the person it belongs to? I could be missing something, but I think this is still vulnerable to coercion or vote selling.
Threats of physical violence? Bribes? There are ways to design the system that guarantee that the voter can verify they voted but can't prove who they voted for. No need to keep the UUID secret. It's very desirable to have a system that we can trust even if conditions aren't necessarily antagonistic.
BTW, thanks for engaging in this discussion. It's important and it's helping me rethink through all of this.
Those are problems with all voting systems. In the current system someone could Threaten/Bribe you to take a selfie with your ballet after it has been filled out.
Okay. I'll grant that there are likely ways to potentially coerce or sell votes in any system. If there are straightforward, inexpensive ways to make it more difficult to do so, we should.
The poll workers can and will force you to do that. They take great pride every election in telling the local TV news types doing human interest stories that taking pictures of ballots accomplishes little other than pissing off the 80 year old poll workers who now have to work even harder. Some probably do successfully slip thru the system.
Another option is making a fake ballot. The local newspaper used to helpfully publish their suggestion of how a devout left wing progressive would fill out their ballot. They're currently the establishment, so they're likely to be the largest problem, and its solved right there.
Systems that provide receipts effectively do this. There are some details to ensure that the receipt/verification system doesn't reveal the actual vote to prevent vote selling or coercion. See ThreeBallot[0], Scantegrity[1], and Prêt à Voter[2] for examples.
The machine could just give you the UUID of a previous vote for the same candidate, and change your vote to another candidate. Using a HMAC with a personal secret key would work.
The CEO of Diebold Election Systems in 2004, where GEMS came from, was Walden O'Dell, who was also a fund-raiser for the Bush campaign at the time.[1] "I am committed to helping Ohio deliver its electoral votes to the president next year" wrote Mr. O'Dell.[2] He resigned in 2005 after being indicted for securities law violations.
On reading that headline I thought maybe someone had come up with a voting system where you could assign a portion of your vote to one candidate and a portion to the other. E.g. 60% to Clinton, 40% to Trump
I'm deeply unconvinced by TFA (and the rest of the series). There are insufficient technical details (and those that are there are taken way out of context) to judge whether a) the author's conjecture is reasonable, and b) the author actually has sufficient understanding of such details to make their claims credible.
There's stuff like 'some code I found an FTP server one time' which add considerable amounts of doubt and ambiguity.
That said, such objections merely highlight the root cause of the problem - the software and process is not auditable. If it was I could just go and check for myself. Without that access neither I nor anyone else can verify the claims, nor the counter claims that everything is legit (though see also Thompson hack, reproducible builds, etc)
I'm not a 'closed source = evil' kind of a person but here it seems like an absolute no brainier.
Its hard to implement those without timestamps and anonymity is impossible with timestamps plus ubiquitous cameras and modern image analysis software, not to mention "the internet of things powned by foreign governments and corporations".
I'm not implying anything, but an anonymous vote for Trump was registered into the blockchain at 9:55:01 at XYZ elementary school, and at 9:55:23 a hacked gas station security camera across the street shows a dude walking out the door and into a car license plate WTF-123 that seems to be registered at the same address as drivers license number 1234-XYZ which happens to be VLM and his rather studly DL demographic data (height weight race gender) seems to match the dude in the video... Meanwhile VLMs phone, which is powned by the NSA, KGB, and god knows who else, records VLM's GPS coordinates as in the voting booth at 9:55:01 and shows him driving the car back to the coordinates of his house. And of course VLM's kids went to that elementary school when they were little. So it could just all be a coincidence, but I think I might know who VLM voted for ...
Very true, it would not make a perfectly anonymous voting system, but I think it could prevent some fraud.
You could take steps to separate the name from the vote of course. e.g. After the person confirms their identity somehow, give them a random number that only they see/have access to, associate the vote with that number.
The "repos" could be made public and you could confirm your vote afterwards. No vote could be "changed" if it was in a chain of hashes...
Your point about timestamp is true. And although I personally think we could stand to be more open about how we vote (and also more accepting of others) I agree anonymity is important.
Perhaps a system like this would be efficient enough to greatly reduce the voting time window. Make it harder to determine who voted by timestamp due to "noise". (or perhaps, can't vote unless there are 5 people present... not a perfect solution, just throwing some ideas at the wall.)
187 comments
[ 2.7 ms ] story [ 95.9 ms ] threadNow I understand the core beef: that a schema change to this voting software caused all votes to be stored in their relational DB as doubles instead of ints, and a good way for observers to verify that an ordinary election isn't behaving as a weighted one behind the scenes was never added, which makes this voting system insecure and not what a reasonable person would consider "observable".
The article you linked, on the other hand, made me feel patronized, skeptical of the author's central premise, and a little bit uncomfortable.
On top of that, they claim that there's also specific functionality to deal with rounding in the output results - why would anyone do it if they honestly thought that votes are always integer. In fact, they even present an email discussing the implementation of this, so it wasn't exactly under the radar.
Paper voting (with polling locations distributed to balance load) with hand counting and verifiable addition operations to get the final vote counts is what is needed.
Having voted in person at town hall, and then having helped count the votes, I know that it is doable - just like any other laborious task is doable with enough people involved. Electronic voting just doesn't buy you anything more than risk - all at the cost of verifiability.
The other advantage to hand counting with a neighbor nearby is that there is a strong penalty for manipulating the election - your neighbor will notice. These machines make it way too easy to manipulate elections at mass scale without detection.
The resistance [from several in the industry not just your comment] to making voting happen via software really concerns me.
Voting systems do not have that.
If the voting machine vendor executives faced actual personal serious jail time for botched counts, I might be more inclined to trust it. Then again, I bet you a tenner they'd suddenly have a lot more fail safes in place.
Aligned incentives is absolutely, 100% required for anything to work in our society. It's what we're built on. Otherwise you will always be swimming upstream.
Even with a threat like that, they'd probably still walk free by just using the DMCA to silence the security researcher
[1] https://en.wikipedia.org/wiki/Online_Policy_Group_v._Diebold....
I wish more people understood this simple fact of human psychology. It's astonishing how often people will support some system that incentivizes bad behavior, and then act surprised when people behave badly.
What's more, when faced with this situation, these same people will resort to shaming the bad actors rather than fixing the broken system.
Each and every idea has a logical optimum strategy for the trust to maximise income, and all of them aren't quite what you're trying to achieve. So you really want to blend some of these (and others) together in just the right mix, but without creating hundreds of hours of admin just to support the metrics.
What are the incentives for voting machine manufacturers to do a good job? Engineering a trustworthy system is tough, and it's expensive. If the machines cost twice as much, no one will buy them and it won't matter if they're more secure. And the market itself is unhealthy. If you spend 10 million on voting machines, you won't replace them the next year even if a bunch of security issues surface. You'll "demand" the company fix them, they'll issue some half assed patch, and you'll go on using the junk you bought.
https://people.csail.mit.edu/rivest/voting/papers/Chaum-Secr...
Not sure it beats paper ballots and hand counting in terms of practicality, though :)
OK VLM your boss needs a Trump receipt, your communist college professor needs a Clinton receipt, you need another Clinton receipt for facebook and github or they will delete your accounts, that'll be one R, three D, would you like any complimentary green party receipts? OK here's all your receipts thanks for voting see ya in 4 years!
Heck hand them out with the bake sale goods. Have a free set of pre-printed fake receipts for ALL the candidates with some delicious chocolate chip cookies that fund this schools PTA. "Could I interest you in this cageless chicken egg gluten free organic soy oil brownie with a complimentary fake green party receipt?"
At the bottom of each voter's paper roll entry is a big bar code. This allows quick recounts by running the paper roll through a machine that reads the bar codes. A full manual check is also possible, but slow. The system goes through miles of thermal paper for each election, but works OK.
There's no way voting for candidates can account for vote theft in the same way.
Don't forget that Wells Fargo was able to open millions of accounts without consumer authorization. So maybe financial accounts are less secure than you think.
I'm also surprised by blanket assertions that electronic voting is inherently bad. But I'm equally surprised by assertions that electronic voting is inherently good.
With electronic voting, any method of verifying your vote is incompatible with the principle of a secret ballot.
(edit: additionally, with paper ballots and adversarial scrutineers, every vote will certainly be counted properly as the people who stand to benefit(the politicians) can raise an issue if a ballot is being counted the wrong way. It's much less likely that every individual would verify their own vote).
The resistance for voting via software may really concern you, but the push for it really really concerns me...
When the community is sufficiently engaged, either you have differing political views and thus don't have to worry about conspiracy, or everyone has the same opinion and the conspiracy would just reinforce the true outcome.
Regardless, the possibility of that conspiracy is another great way to encourage participation. Republicans and Democrats both have an interest in the other side not tampering - combined that turns into a pretty strong interest in removing tampering altogether.
The main reason I want to get sane electronic voting is so we can vote online from home. Given the inability of democrats and republicans to come up with any acceptable method of handling voter ID, though, I'm pretty confident that it won't happen for decades if ever. In the meantime at least my state does vote by mail.
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
Are you saying a recount will be unnecessary if E2E is done properly?
I read the linked article but didn't get it.
I'm not sure where I might have given the impression that a recount would not be necessary. A paper record makes a recount possible and the election system auditable.
The linked Wikipedia article on end-to-end auditable voting systems provides an overview and links to different methods of making voting systems more trustworthy. There's a lot of thought and details that go into it, and if it's something you're interested in, I suggest following up on some of the links and spending more time. I know it's taken me reading a lot of different articles and implementations, and I still need to look up different parts of it.
I did find this slide deck from Ron Rivest helpful:
"Auditability and Verifiability of Elections" ACM-IEEE talk March 16, 2016
https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf
Were there particular areas that didn't make sense to you?
That's not to say that other security precautions can be ignored. Ideally I'd think there should be mature open-source software running on secure intranets for each voting station, and transparency at every level of the process, including better transparency in how those physical receipts are transported, handled, and stored.
Step 1) You queue, get a "Temporary Voting Id"
Step 2) Enter the booth, enter your "TVID"
Step 3) Vote
Step 4) The Machine prints your Receipt with your vote clearly visible and your TVID as local proof its you and your vote is right.
Step 5) You fold your printed ballot and put it in a box.
Step 6) You fold your ID Receipt and place that into a "Validation Box" as you leave.
Step 7) All machines keep and print a "Tally" used as the count.
Step 8) All ballots and validation id's are saved in boxes and shipped ready for recounts if needed, ID's can be matched to ballots to validate attendance and votes anonymously.
Bonus Step) ALL vote machine should produce a "Vote Audit" when asked that will show a full history of votes (without times and in random order) and the ID's used and ALL id generation machine should produce all vote id's generated (again without times and in random order)
The UI of a #2 pencil and a pre-printed form is a lot simpler and easier to use and un-jammable compared to an e-voting machine printer. Also cheaper and harder to hack.
If you keep your ID receipt theoretically you could prove your vote and sell it. If you don't keep your receipt, they might toss out your vote and you'll be unable to prove it. There are cryptographically secure-ish ways to work this, mostly involving statistical security (I forget the exact term, the kind that makes engineers pull their hair out because the algo looks inefficient but the inefficiency is the source of the security)
Even worse I assume multiple votes per TVID would overwrite the previous vote to handle user interface mistakes (see above, why must we use a complicated electronic UI instead of a #2 pencil and paper UI?). So any poll worker with access to the unshredded TVID has root password and can change everyones vote at their leisure.
You should have inserted the votes into a networked blockchain so people can ask WTF if 50 votes are changed ten minutes after the polls are officially closed. Or people could ask WTF when district #239 is the only district to have 50 revotes more than five minutes after the original vote. And the blockchain would store the former pre-tampering ballot which might be handy once the corruption is identified.
Of course it'll be fun to link the timestamped blockchain to CCTV cameras everywhere, so if you timestampped blockchain you no longer have anonymous voting, every ballot is now linked to license plates and face pictures, thank you "war on fake terror".
If the TVID is not cryptographically secure you don't need access to the box of stored TVIDs, because I see they handed #200 to me, #201 is next on the table, why shouldn't I type in and "correct" votes for TVID #190, #191, #192, #193 ... while standing in my private booth?
If I walk out the door with a cryptographically secure verified TVID and just toss a blank piece of paper into the TVID disposal box, then I can sell my TVID to someone for money or booze or sex, then dude walks in with my TVID, gets one of his own, votes for the two of us. You'd need to timestamp each TVID for a limited validation time. I could see management at companies requiring people to hand in their TVIDs to get their timecards or paychecks. Or at soup kitchens. Or crooked cops, or especially college professors. Imagine trying to explain you can't give your TVID to your feminist studies professor because your african world heritage professor already took it, which class do you accept the "F" in?
Essentially with TVIDs you're trying to implement Kerberos tickets which is tricky enough for computers, much less 80 year old deaf poll workers who dropped out of high school during the great depression and have never touched a computer. Every security hole or bug thats ever existed in Kerberos needs patching.
There are so many problems I'm kinda bored right now, but I can tell CCTV attacks and cellphone camera based attacks are going to be a very interesting problem. Essentially any security guard with a high res camera pix of the stack of TVIDs has root over your system, I think. If the TVIDs are preprinted any corrupt person with physical access to them before the election or before the recount anyway, who owns a cellphone camera or has access to a photocopier has root. Big data attacks might be possible, "sell" memorized TVID number to the bartender as part of a "I voted so now I get a free shot" sounds very much like democracy boosterism until the employer collects memorized ballot receipt number for their own parallel "I voted so I get a free ice cream cone at work" ...
The last step of voting is inserting the ballot into the scantron machine. Valid ballots are eaten, invalid are kicked back out at you.
Theoretically the machine can output running totals at any time, and if you've never seen an optical scanner in action you'll be surprised how fast it can scan and grade a classrooms worth of multiple guess tests, less than a minute to scan and process perhaps a hundred tests, so a thousand people living in my voting district is not exactly a data processing challenge. The votes can obviously be counted by hand of course, they're just custom printed multiple guess test sheets.
Optically scanned paper tapes and punch cards were contemporary in the 60s and optical scantron machines appeared shortly after. I'd estimate my state converted from mechanical voting machines and mimeograph machines to scantrons and photocopiers about the same time, lets say 1980 although maybe as late as 1984 or earlier in the 70s. I distinctly remember watching my parents vote one last time on an old fashioned voting machine when I was a little kid, probably voting for Nixon, may have been Reagan but I'd have been too old by then, I think. Old fashioned mechanical voting machines were cool and steam punk ish in appearance.
Its such a simple, cheap, reliable system that it almost leads credence to claims that elections are being intentionally rigged. Its hard to explain otherwise why something so cheap simple and logical is being covered up and so few people know about it. Ironically I live in a non-swing state in a gerrymandered district so my vote has never mattered and never will, but at least if I ever get a chance to influence politics via voting, its pretty obvious my vote would be counted fairly.
That what the voting booth and envelopes are for. Its not a random thing. Our voting systems are low tech, but it's well designed.
And in the latest election where the incumbent party lost, It was pretty publicized that they went to a lot of the poorer colonies to try and get their money, cell phones and tvs back. All quickly forgotten as soon as the media got a whiff of it.
Buying votes in a first world country probably isn't possible as most people are somewhat (and probably wrongly) educated on the topic, and hold pretty firm views on it. However, it's a piece of pie on mostly illiterate people. Even then, people get tired, see the latest elections in Mexico.
- internet voting
- touch screen voting
- optical scan voting
Computers can also be used in other roles, such as voter verification, vote tabulation, and results transmission, result verification, and auditing.
With only paper ballots, arbitrary vote verification is likely to be a tedious process, if possible at all. Cryptographic methods such as homomorphic tallying can ensure vote secrecy and vote verifiation. This can also provide stronger guarantees of chain of custody integrity by verifying voter receipts or cast paper ballots are included in the final tally. With only paper ballots, trust that a given cast ballot is included in the result relies on trust in those doing the tallying and the chain of custody of the ballots themselves.
One could imply from the phrasing of your question that you have reservations about any benefits electronic voting might have. What's your take?
Optical scan is the only above mentioned method that can be verified by laypeople.
Also, although a tedious process, paper voting has worked for quite some time. Centuries?
Chain of custody will always be a problem, whether it be source code to a compile runtime, or paper ballots.
However, the potential for abuse seems less likely for a more manual process.
A voter signs in to vote, so we know how many voters to reconcile to the same number of ballots. If we have more ballots cast than signed in votes, we have a problem.
Additionally, ballots are serialized, though not associated with any particular individual. So we know what ballots were used and unused. If we find multiple ballots with the same serial number, we know there is a problem, too.
Voting should not rely on a blackbox algorithm. The majority of the voting public can count pieces of paper, but can they understand and verify code running on a device?
Who cares if it saves time, particularly at the cost of transparency and trust?
My question to you is, what problem did electronic voting solve (as implemented in the US), that needed solving?
- Wait until all electronic ballots are set up in their zones in election day. - Randomly (this can be even done in a public, audited draw) select a few ballots to test. - Remove those ballots from use and replace them with spares. - Now, somebody publicily double votes on the tested ballot: they publicily vote for candaidate X in the ballot, and on paper (although just showing the vote allows any observer to keep count indefinetely). - At the end of the test, print the count from the tested ballot and verify that it is accurate to the publicily counted votes.
What do you think about this?
IMO, while not totally fool-proof, this brings the cost of manipulating electronic elections rather close to paper elections, if the following assumptions hold:
- The draw is fair, so a malicious actor could not program only the selected ballots to be fair; - The chain of custody of the ballot is solid (easy to do if there are party auditors that never lose sight of the ballots), or that the ballot is not moved out of the sight of the public instead; - There's no available method to make the ballot know it's being tested, and change its behavior (like in the VW emissions scandal).
The last point is tougher, although auditable source code, code-signing, and reproduction of as many 'true' conditions as the real election (same duration, same time, same voting frequency, etc, maybe going as far as to randomly select normal voters to participate in the process).
Paper votes work, and they work well. Besides the obvious downside of needing to wait for them to be counted, they are safe, open, they don't break down, they can't be hacked, anyone can verify them, and they are 100% anonymous.
At worst, you'd need many people to collude to stuff a single ballot box in a single district, and even that can be thwarted by a single person watching the ballot box all day.
So what's the gain with electronic?
Many programmers know about the "beauty" of encryption and secure voting algorithms. They know that open source works, and it's really tempting to try and think up a system that is "perfect" and can't be gamed by anyone.
But this is an instance where messier and less "perfect" is better, because the absolute worst case scenario of being able to actually change the election is so much harder with paper, and anything less than that worst case scenario doesn't change anything (and still has all of the risks and downsides).
The reason I want this is because it allows much more fine-grained voting. My ideal democracy is a direct democracy where every voter can, if he/she chooses, to vote on arbitrary issues, but _delegate_ their vote to someone else by default. As an example: "I politically align with Bernie Sanders, so I want by default my vote to delegate to whatever he's voting for, but for issue X I vote Y."
In an ideal world you could even delegate votes based on "tags", e.g. for Internal Affairs you choose X, and Economy Y, etc. But that seems fairly easy to manipulate by whoever is assigning the tags to issues.
I am sure that there are ways to improve citizen participation in the democratic system, but directly voting on issues is not going to give us the sensible behaviour you might hope for. Representational democracy exists in part to prevent minorities from abuse by any majority — with direct democracy you eliminate that protection.
Not so sure, the paper ballot system may been hacked in 2000 US election. The other criminal activities of the Bush family make it more suspect, IMO.
It's certainly more work to count those votes, but on the other hand, everybody is entitled to go check the vote count and everybody can do so with no technical knowledge needed. Any system that requires the observer to be firm in a given piece of technology is not a superior system since it removes peoples ability to exert their right to check the public vote.
Also frankly more people are familiar with the UI of "#2 pencil and piece of paper" than any electronic UI I can think of or imagine, which is somewhat damning for cultural reasons on this site resulting in it being double plus ungood badthink to imply anything could be superior to contemporary trends in web and phone app UIs.
"Fill in the correct bubble" was very new technology when I was a young adult, apparently its still in use.
One handy thing about the ballot eater machine, as a voter, is I feed it a valid ballot and it emits a happy cartoonish beep song while eating and storing my ballot for later hand recounting, and feed it an invalid or questionable ballot and it immediately kicks it back at you with musical accompaniment indicating R2D2 is clearly not amused. The OCR contrast settings can be messed with such that anything even slightly questionable (erasures, etc) will simply not be accepted. The paper ballots being cheap and the technology being easy to understand, the poll workers simply give the voter a new ballot.
My ideal system would have a voting machine that handles the complexity and fills in the bubbles for you. Then prints it out and let's you inspect it, and turn it in like a normal ballot.
I also have other issues with them. Like runoff voting systems drop a moderate candidate that most people would prefer in a 1 on 1 election, but isn't listed as enough people's second vote. Resulting in more extreme, less liked, candidates getting elected. It's better than FPTP, but not by much.
This makes voter intimidation real easy. Just say: "if anyone's vote is made public and not for candidate X, I will murder them and their family". That basically turns voting for candidate Y into gambling with the life of your entire family.
This helps with ballot stuffing, if 200 voters in the district verified their vote and election monitors counted about 200 people walked thru the door but the corrupt system published half the ballots online and theres 500 of them implying 1000 voters, well, someone faked an extra 800 voters.
The problem is complicated and you can't actually use DnD dice because most disenfrancised voters fill out straight ticket ballots and are therefore not part of the decision making fraction of the population, so someone could pay or punish based on votes exactly half their victims who don't have a ballot that looks like it was made by a purely random dnd dice roller. So you actually have to figure the percentage of people last time around who voted like whatever logical scheme, then make the poll worker fill in ballots that look like a reasonable ballot from last time around. "VLM you get serial number 200 and I as poll worker fill out serial number 201 and looks like your "random" historical voter for 201 is straight ticket R"
Also you can't let the voter pick the ballot he fills out because then Mr bad guy can kill any odd serial numbered voter for Trump because he told his employees or students or whatever they must select and vote the odd one never the even one, so half the random ballots being odd means trouble for half the voters. Face down pick one might be OK.
Note that under this scheme it might be safe to even publish the name of both ballots, just so long as a random half get shredded.
Any individual poll worker with a photographic memory could theoretically sell a list of ballots he filled out vs the voter filled out but its purely he-said-she-said and the poll workers memorization job will be hundreds of times larger than a voters memorization job so I think it incredibly likely the voter will be trusted to lie as best serves him rather than the poll worker be trusted to tell the truth.
How the random half get shredded is likely going to be a sticking point. It has to be visually enforced the entire voting period that each voter puts one ballot in one pile and one in the other and when polls close the observers do a coin flipping cryptographic protocol and immediately shred one random stack. You can't shuffle them all and then shred or whatever. Someone putting both ballots in one pile will screw things up. There are trivial ways to enforce this of course.
A list of all my historical published votes would after decades provide a random signal and a pattern of my own voting. However my own voting makes a random signal for some other dude, and today any goofball who wants to discriminate can pull the district records and know the couple hundred of us who vote here always vote about 80% R so although discrimination would be possible it wouldn't be any easier or more effective than it is today anyway. Go ahead, knowing nothing other than I live in an 80% R district take a guess what I usually vote...
Technically this scheme disenfranchises a completely random half the population. Well, since only half the populatio...
A weakness I see in both your system and ThreeBalot, is the need to trust in some decision maker to act correctly. You need the poll worker to actually work randomly (and not have awesome memory), ThreeBalot needs a way to confirm ballots are entered correctly.
I think the biggest sticking point with your system is the random aspect. We are essentially introducing noise into the votes. The noise might be negligible, but it impacts people's perception massively. There is also the challenge issue, because you'd need some arbitrary cut-off on the probability of the noise being to large. After all, the chance is technically nonzero that all random votes went the same way, and only the random votes were counted.
Anyone can count along with a ballot box. Anyone can stand there all day and watch the box to ensure there is no tampering, they can count, recount, and recount again. Anyone can do this. Plumbers, programmers, doctors, the unemployed, the elderly, and even the illiterate. It can be counted by one person, or 100.
But when things go electronic, the number of people that can even understand it is cut down to programmers. And the number of those that could accurately vet the security of a program is even smaller. And even a perfect electronic system needs loopholes (you can't just disenfranchise voters because they forgot their password or don't have a computer), which means the ability of fraud is still there.
Paper works, and takes a LOT of resources to sway even one precinct (even just the fact that it requires purchase of physical materials ups the amount of cover up required), let alone a county, state, or the federal levels. And because of the number of people involved, if someone did try the chances they would be found out is pretty damn high.
Anyway, acting like paper voting stop fraud is just... blind. If you think people as well connected and funded (and motivated!) as our politicians can't move the right pieces of paper to the right places with the right people, you're insane.
The only people that understand crypto are mathematicians but I'll stick to encrypting my electronic messages.
Also, I really like this: "Anyone can count along with a ballot box. Anyone can stand there all day and watch the box to ensure there is no tampering, they can count, recount, and recount again. Anyone can do this. Plumbers, programmers, doctors, the unemployed, the elderly, and even the illiterate. It can be counted by one person, or 100."
No voter left behind lol, if not everyone can do it, we can't trust it.
Better yet, do mail-in voting. It works fine for several states already, and all of them see strong correlation with voter participation, unsurprisingly. It's also cheaper. And keep a few basic polling locations around as a fallback for those unable or unwilling to deal with mail.
And then there's the cases of voting papers being dumped rather than delivered to constituents. And the possibility of tampering with the votes in the mailing system. It wouldn't be hard for malicious actors to toss out papers in majority Republican or Democrat areas to attempt to sway the election.
And having "a few" polling stations would mean that they are further apart and less accessible for people, especially poorer people who don't have the same means and time for transport.
Yeah I bet. Your boss will trade your mail in ballot for your paycheck this week. Turn it in with your calculus exam for 5 bonus points. Don't forget to take your ballot to Bible study group this Sunday, we're going to fill them out together to make sure we do it correctly. If you're in a nursing home just hand it to your favorite nurse, after all she's in charge of your medication so you have motivation to keep her happy. Your postman will simply toss it out if he doesn't like your vote but he does have a bid out for $5 if you'd like to sell, because one of the local parties is buying from him for $10 per ballot. On the other hand the gas station clerk down the street is offering $9 because his margins are lower and he paid off the cops like he paid off the health inspector and he's easier to get in touch with.
I suppose if all the dollars are concentrating in ever fewer hands, we need some kind of paper currency, and if they'd allow early voting up to perhaps 3 years and 364 days before the next election... Its possibly the only way we'll ever see the government getting a form of currency into the general public's hands to boost economic activity rather than just bailing out the bankers as usual.
Mail in is fairly banana republic tier. Its kinda like drug legalization, yeah that stuff isn't good for you, but at least if its above board and semi legalized then at least we can observe and track it, kinda, rather than underground and out of control. Actually its more like a red light district, the only way to make it worse would be to drive it underground. At least looking at vote totals we can tell how corrupt an election is based on level of mail in voting rather than knowing its bad but not how bad in total.
At the same time, I'm not aware of literally a single complaint about this kind of thing in US states that practice mail-in voting...
And drug legalization is "banana republic tier", really? No. It's a recognition that "this stuff isn't good for you" is not a sound basis for passing laws, for one thing - and for another, it turned out that a lot of "isn't good" was just plain out lies and misdirection.
I mean, seriously, are you saying that WA and OR are banana republics?
Properly done, a voting machine doesn't need to do anything more than count and tabulate. You press a button, and it adds a new vote to it's table. The vote could be printed out on paper. It could even be done via punch cards first, and then fed into the voting machine (which makes the process more inspectable by humans.)
The voting machine need not know what each candidate even is, what party they are, just assign them numbers. And it doesn't need to receive updates, or have any method of input other than reading punched cards or a voter pressing a button. It certainly doesn't need to be based on windows XP and have usb inputs. It certainly shouldn't send votes over wifi.
I think pushing for "superior voting systems" is really allowing the best to be the enemy of the good here. STV is perfectly doable by hand. AMS is only fractionally more complicated than FPTP. But most US elections (and the UK parliamentary ones, although none of the other kinds of election in the UK) are FPTP.
Let's not allow the desire for better voting systems to be tied to untrustworthy technology.
Edit: the barrier for getting a system adopted has to be "can you explain this to a partisan of the opposing faction with a high school education, and get them to agree that it's fair?"
I really dislike instant runoff voting and similar systems like STV. They are better than FPTP, but not by much. One big issue is discussed here: https://www.youtube.com/watch?v=7Q7rzqJ0YS8 But my main concern is they might tend to elect more extreme candidates, because they quickly drop candidates that don't have enough first votes, even if they are everyone's second vote.
The problems of actual existing electronic voting are a microcosm of bigger problems. We get insecure, ineffective voting machines because procurement is difficult and tends to be captured by lobbyists.
Condorcet superiority seems not all that important in practice: http://www.fairvote.org/why-the-condorcet-criterion-is-less-... , and if you have suitable multi-member constituencies for STV then you tend to end up with a couple of "extremists" and a large group of moderates in the middle.
Again, let's not let the best be the enemy of the good.
Basically the problem is with data being kept in an opaque digital database, not with vote tallying being done by a machine. If we can keep the database in a form that's untamperable and final, there's no problem with using machines to do the vote counting.
Don't throw the baby out with the bath water. Just because current electronic voting is bad, doesn't mean it has to be.
http://scorevoting.net/BayRegsFig.html
There is even a theorem that, under plausible models of voter strategy, Approval Voting will tend to elect Condorcet winners (i.e. candidates who beat all rivals by a head-to-head majority).
http://scorevoting.net/AppCW.html
Clay Shentrup Co-founder, The Center for Election Science
* Count and record our money
* Operate and monitor medical equipment
* Monitor and control planes, trains, ships, and cars
* etc
To think that we cannot use a computer to record votes is insane.
I think recent history has shown this hasn't worked out quite that well in many cases, and that in other cases was easily manipulated for purposes of fraud. There are entire sections of various law enforcement agencies that focus on this very topic.
>> Operate and monitor medical equipment
What would be the benefit of manipulating this?
>> Monitor and control planes, trains, ships, and cars
What would be the benefit of manipulating this?
I would second guess anything that uses a computer to keep a record of something that someone would have a direct benefit if manipulated. It's not a matter of whether it works or not, it's a matter of how easy is it to manipulate for a particular goal.
Killing people. Imagine a StuxNet type attack that targets medical equipment or an attack that can drop planes from the sky (https://www.wired.com/2015/05/feds-say-banned-researcher-com...)
> I would second guess anything that uses a computer to keep a record of something that someone would have a direct benefit if manipulated
Then you better move to the woods. Basic economic principals (scarcity) mean that every resource has value to an interested party.
I can only see the benefit of a targeted assassination for a very specific subset of a subset of a subset of people, not large scale killing of people. Warfare maybe? For fun? Not as obvious as fraud for monetary gain, there is a scale issue to consider.
I worry more over bugs that kill people on the operating table or in the air as opposed to someone manipulating the equipment for some unknown benefit.
>> Then you better move to the woods.
I think you're exaggerating just a bit.
Wars are extremely profitable for some.
> I think you're exaggerating just a bit.
I think you are being myopic. We trust computers with thousands of important tasks. If we can't trust them for voting, we really have to reconsider their usefulness.
That is an excellent point.
But, reading back over the posts I see that I introduced the concept of warfare even though the original points I questioned did not. So, back to my first questions; who benefits from manipulating medical and aircraft equipment on a large enough scale to be compared to potential financial fraud?
Wait, targeted assassination that starts a war... That's been done before, but unlikely.
>> If we can't trust them for voting, we really have to reconsider their usefulness.
It's not that I don't trust the computers, it's that I don't trust people.
I assumed "killing people" was broad enough to include obvious cases such as war :)
> So, back to my first questions; who benefits from manipulating medical and aircraft equipment on a large enough scale to be compared to potential financial fraud
Competing corporations via corporate espionage. A targeted hack against Siemens infusion pumps would force hospitals to consider alternatives.
> It's not that I don't trust the computers, it's that I don't trust people.
Every system in the world has been created by people with their own biases and faults. If we are really going down that path, then you must seriously consider going off the grid.
How will you know if an electronic voting system produces a wrong result, except by running a paper voting system in parallel?
Do municipalities choosing voting machine contractors have incentives aligned to promote election integrity? Can they critically evaluate security properties of what they're being sold?
I don't think so.
The republic is experiencing significant harm. If it was not, people would not be talking about it.
> How will you know if an electronic voting system produces a wrong result, except by running a paper voting system in parallel?
Audits? Open Source? Checksums? Hashes? We have many tools to verify the integrity of electronic data (I also never claimed it had to 100% digital)
> Do municipalities choosing voting machine contractors have incentives aligned to promote election integrity? Can they critically evaluate security properties of what they're being sold
If the choice is federally verified company A or federally verified company B, then yes.
[1] https://en.wikipedia.org/wiki/Three-Fifths_Compromise
Once you have thoroughly owned the voting machine system and can set weights why not, I don't know, just ignore the counted ballots entirely and report the totals as whatever you want?
I assume it adjusts the proportionality so the sum total remains the same, and ballot questions that the hijacker is not concerned with are not skewed.
Since you have no idea how many people will vote until the conclusion, if you wait until after the conclusion to modify results, it would be more obvious and difficult.
Should really be
> PART 1: VOTES COULD BE COUNTED AS FRACTIONS INSTEAD OF AS WHOLE NUMBERS
Existence of the feature doesn't indicate it's use, although it is obviously worrying.
The paper ballots that were marked and optically scanned caused no problems and were easy and fast to recount.
Some counties in FL had the old punch card ballots, some had the optically scanned. All of the problems were with the punch card ballots. And with the lawyers arguing over hanging chads and other nonsense.
https://en.wikipedia.org/wiki/Hanging_chads
> http://andrys.com/flballot.html
And how do you know someone's just not adding to the total when it's collated?
The rationale is to allow anybody to audit the system, so that soundness of the design can be proven against an adversary with perfect knowledge of it.
And yet Americans let companies enforce intellectual property rights over systems whose security (flaws) could change your vote...
update: Bruce Schneier on security of electronic voting: https://www.opendemocracy.net/media-voting/article_2213.jsp
> They allow “weighting” of races. Weighting a race removes the principle of “one person-one vote” to allow some votes to be counted as less than one or more than one.
This is extremely inflammatory language. What I think they mean is:
> They allow “weighting” of electoral contests. Weighting an electoral contest removes the principle of “one person-one vote” to allow some votes to be counted as less than one or more than one.
However, what they wrote seems to heavily imply a racial bias to electronic elections. Why they would choose to use such racially charged language around such a benign topic at this time seems only to drive links to their site over such a non-controversial issue.
"The “Summary” vote tally, which provides overall election totals for each race on Election Night"
and
"Presidential race in an entire state switched in four seconds"
Granted, they could have chosen other language that's less likely to be misconstrued. As for the choice of language, I don't think the article is all that well written (for another example, mixing "fractional" and "decimal" to mean the same thing). I don't think there was that much thought put into the language.
The last part is related to the electronic counting of the votes. Here what Fritz Scheuren, the 100th President of the American Statistical Association, had to say on the Democratic primaries “as a statistician, I find the results of the 2016 primary voting unusual. In fact, I found the patterns unexpected [and even] suspicious. There is a greater degree of smoothness in the outcomes than the roughness that is typical in raw/real data […] the difference between the reported totals, and our best estimate of the actual vote, varies considerably from state to state. However these differences are significant—sometimes more than 10%—and could change the outcome of the election”
Second reading those emails in part 2 it seems they are discussing that the per candidate numbers in weighted elections (when the machines are used for those) then adding them they show totals with one less digit. But that only matters if they have fractional parts which they haven't shown to have happened in a real election.
There doesn't seem to be any proof of actual fraud here. Just a bunch of suppositions.
It can't be that hard. A git repo per machine, recording an audit trail further verified by the block chain, could be the start of a solution, for example.
This is just a list of technologies. It's not the start of a solution, and it isn't even really clear what problem you are trying to solve.
It sounds like this is something you're interested in. I encourage you to take a look at what's being done. I've shared a couple of links elsewhere in this thread, which if nothing else can provide a starting point.
I been thinking a blockchain based system would be interesting, but it'd have to be really easy to use for everyone. People who have no computer or phone all the way to the computer expert.
https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf
I think he does a pretty good job of covering the history of modern voting and how technology can be properly applied.
You might find this Google Tech Talk by Ben Adida "Verifying Elections with Cryptography" interesting as well:
https://www.youtube.com/watch?v=ZDnShu5V99s
There are mechanisms by which one could both keep the ballot secret and allow a public tally. But to avoid hacking, like the floating-point vote-value in GEMS outlined in another story, the system does require bullet-proof crypto.
Regardless of how the ballots are counted, I do believe there should always be paper backups, scanned, and filed so that citizens can examine them digitally and in person if necessary. With that system one could spot-check any suspected irregularity. Only with such physical redundancy would I trust digital voting systems at this point.
Sometimes there's no substitute for good old dead trees.
https://en.wikipedia.org/wiki/Secret_ballot
Article 21.3 of the Universal Declaration of Human Rights states, "The will of the people...shall be expressed in periodic and genuine elections which...shall be held by secret vote or by equivalent free voting procedures."[19]
Article 23 of the American Convention on Human Rights (the Pact of San Jose, Costa Rica) grants to every citizen of member states of the Organization of American States the right and opportunity "to vote and to be elected in genuine periodic elections, which shall be by universal and equal suffrange and by secret ballot that guarantees the free expression of the will of the voters".[20]
Paragraph 7.4 of the Document of the Copenhagen Meeting of the Conference on the Human Dimension of the CSCE, obligates the member states of the Organization for Security and Cooperation in Europe to "ensure that votes are cast by secret ballot or by equivalent free voting procedure, and that they are counted and reported honestly with the official results made public."[21]
Article 5 of the Convention on the Standards of Democratic Elections, Electoral Rights and Freedoms in the Member States of the Commonwealth of Independent States obligates electoral bodies not to perform "any action violating the principle of voter's secret will expression."[22]
And if I'm understanding correctly (and I might not be), you can confirm that the printout is accurate.
Edit to add: If you can confirm that all of the ids are unique and that the total number of ids are correct, that would go a long way towards verification, along with checking arbitrary receipts against the results, regardless if the ids are pre-printed or printed afterward.
I'd prefer not having any printers involved though. Pre-printed ballots would work just fine and there's one less piece of equipment involved during the actual vote.
BTW, thanks for engaging in this discussion. It's important and it's helping me rethink through all of this.
Another option is making a fake ballot. The local newspaper used to helpfully publish their suggestion of how a devout left wing progressive would fill out their ballot. They're currently the establishment, so they're likely to be the largest problem, and its solved right there.
[0]: https://en.wikipedia.org/wiki/ThreeBallot
[1]: https://en.wikipedia.org/wiki/Scantegrity
[2]: https://en.wikipedia.org/wiki/Prêt_à_Voter
That's probably when this feature went in.
[1] http://www.sourcewatch.org/index.php/Diebold_Election_System... [2] http://www.nytimes.com/2003/11/09/business/machine-politics-...
There's stuff like 'some code I found an FTP server one time' which add considerable amounts of doubt and ambiguity.
That said, such objections merely highlight the root cause of the problem - the software and process is not auditable. If it was I could just go and check for myself. Without that access neither I nor anyone else can verify the claims, nor the counter claims that everything is legit (though see also Thompson hack, reproducible builds, etc)
I'm not a 'closed source = evil' kind of a person but here it seems like an absolute no brainier.
I'm not implying anything, but an anonymous vote for Trump was registered into the blockchain at 9:55:01 at XYZ elementary school, and at 9:55:23 a hacked gas station security camera across the street shows a dude walking out the door and into a car license plate WTF-123 that seems to be registered at the same address as drivers license number 1234-XYZ which happens to be VLM and his rather studly DL demographic data (height weight race gender) seems to match the dude in the video... Meanwhile VLMs phone, which is powned by the NSA, KGB, and god knows who else, records VLM's GPS coordinates as in the voting booth at 9:55:01 and shows him driving the car back to the coordinates of his house. And of course VLM's kids went to that elementary school when they were little. So it could just all be a coincidence, but I think I might know who VLM voted for ...
You could take steps to separate the name from the vote of course. e.g. After the person confirms their identity somehow, give them a random number that only they see/have access to, associate the vote with that number.
The "repos" could be made public and you could confirm your vote afterwards. No vote could be "changed" if it was in a chain of hashes...
Your point about timestamp is true. And although I personally think we could stand to be more open about how we vote (and also more accepting of others) I agree anonymity is important.
Perhaps a system like this would be efficient enough to greatly reduce the voting time window. Make it harder to determine who voted by timestamp due to "noise". (or perhaps, can't vote unless there are 5 people present... not a perfect solution, just throwing some ideas at the wall.)