And a way to simply audit them. It's a bit difficult to make a fake pen and paper that would trick me into voting for the wrong person (especially at scale).
What open source hardware would that be, and how can everyone eligible to vote be able to understand how it works and be able to observe that it really does work?
Every single person doesn't understand all the security aspects of today's paper & pen ballots, how they are secured before and after the day of voting, how they are transported from one location to another, how mail-in ballots get handled, etc.
There's no reason to require something that everyone can understand when talking about a different voting system.
IMHO, we should aim to build something (whether using physical machines or using cryptography/mathematical properties) that the various parties in a government can audit and recognize as secure and that leads to a larger portion of the population voting or a cheaper election process.
Whether people do understand something is very different from whether people can understand something.
While many people maybe aren't aware of the security mechanisms of a pen and paper election, essentially everyone can actually understand them if they feel the need to, and that is extremely important. You cannot resolve widespread distrust by putting a bunch of mathematicians on TV who tell the population that everything is fine.
We already have something that can be made secure, anonymous, and auditable, and yet is easy to understand and relatively inexpensive. It is pencil and paper ballots, with multiple interested parties observing the entire process.
And if you want the benefits of computers (fast counting, ability to prove your vote was counted correctly) without sacrificing the secret ballot or the paper audit trail you can use something like punchscan or scantegrity.
To be more precise, there are 3 things that must be met for a vote to be considered acceptable, digital or not:
* it must be anonymous, ie nobody but you should know you you voted for
* it must keep integrity, ie nobody can change your vote
* it must be verifiable by all participants
Paper vote makes it easy to meet all criterions: just keep an eye on the ballot and you will be relatively sure that everything is fine. On the other hand it is impossible to have all those conditions with a digital vote, if only because digital anything isn't easily verifiable by all participants.
Implementing anonymous, distributed, publically auditable voting is quite simple. Implementing it in such a way that you can verify that your vote was counted correctly, but not be able to present it to a coercive third party to as a receipt to verify you voted for their preferred candidate, is hard.
Can you trust that you won't be punished for voting the "wrong" way? Or maybe you won't get that raise that you were seeking out because you belong to the wrong party. Paper ballots keep things anonymous and make it difficult to track who voted for whom. With "digital money" it does not mater as much if people can see who exchanged monies.
>There are ways to build anonymous but auditable voting schemes.
None that don't require printing a paper ballot so the voter can check the correct thing was done. And then taking that paper ballot and putting it in a sealed box. And once you've done that the high-tech bits are irrelevant and you're back to the cheap, safe and easy to use voting system we've been using without issue for decades or even centuries.
You can totally have a blind signature based scheme that doesn't have some of the flaws which are present with paper ballots. Some of the requirements aren't met today (such as having one and only one digital identity for everyone) but it doesn't mean that paper ballots are the only solution.
With enough effort you could implement something that still requires printing a receipt but doesn't require the ballot box. The identity issue isn't even a problem in most modern democracies. But that system would be less efficient and be easier to seed discredit since normal people don't understand it. That gives you a riot or two quite quickly. That's the other properly of paper and ballot box that technologues dismiss way too easily. >90% of the population would be able to run a paper election successfully and yet would be hopeless at understanding a complex crypto scheme. That means you quickly lose a key property of elections which is that whoever lost actually accepts that result. From the previous discussion:
"Electronic voting is the reverse FizzBuzz. FizzBuzz tests if you know the absolute basics about technology to implement something extremely simple. Electronic voting tests if you are able to reject the use of technology when it doesn't add any advantage and instead creates very hard to solve failure modes. Voting benefits from the use of the extremely simple ballot and box. It benefits from it not being programmable and from the counting method being something that almost all the population is able to carry out let alone understand."
>
There are ways to build anonymous but auditable voting schemes.
I have yet to see one that involves a digital voting system. Many of these voting systems are insecure and F/OSS(free and open source) won't fix that. You are giving too many people physical access to these systems at every step of the chain. Many have proposed a "blockchain" based voting scheme, but that takes out the anonymous aspect of voting.
>
Same goes with money, these things called crypto currencies are digital money offering various levels of anonymity.
Yes and none of them provides any anonymity since they all at one point or another reveals too much about a given transaction.
With paper ballots, it's really difficult/infeasible to track who voted for whom and is a bit more tamper resistant on a large scale.
There are actually elaborate rules and measures on the handling of paper ballots to work around complicated schemes that have been devised to defraud the vote. It's certainly not foolproof.
- Some states use mailed paper ballots
- Some states use paper-free voting
- Some states use a mixture of electronic and paper voting
The biggest risk is not the mechanism, but the way it is implemented: 5,000 independent jurisdictions all have completely independent ways of choosing how to vote, and then completely independent methods of implementing it. [3]
This[1] testimony from 2001 includes a good history of the voting process and the reasons why it is handled the way it is. The parent[2] directory contains 16 years of commentary articles.
That's one of the methods of fraud. Many counties have had "lost" ballots. Many voters have not received their absentee ballots. Florida was actually not even close to finishing counting its ballots when Obama claimed victory in 2012. California had the same problem in June 2016.
With regard to machines, many machines have recorded thousands of extra votes. Some machines run out of memory, and end up losing thousands of votes (those machines did not have paper trails). There's been plenty of problems with these machines - ones that can be fixed. But the fact that every precinct decides independently what to do and how to do it, there is absolutely no way (in the US) to provide a uniform solution to the problems of paperless voting.
I am not advocating for paperless, what I want to see is a combination of the two. Paper for auditing, Digital for backups and replication with on-site initial counting which should be validated as the ballots make it back to main election offices.
This would mean there is a digital record on receipt of the ballot and the ballot itself. This seemingly would reduce the potential for fraud in both systems.
Implement that system and an attacker will then proceed to destroy your democracy by hacking the digital part, making the counts not match and causing complete distrust in the voting system. Properly implemented paper elections have no significant fraud possibilities and convince whoever lost the election that he indeed lost. There is no problem to solve here and technology only makes things worse.
Again, 5,000 independent districts, and every single district manages itself independently. There is no way whatsoever to ensure proper implementation.
> have no significant fraud possibilities
We have a ton of provisions implemented to curtail significant attempts at fraud of paper ballots. And in paper ballot and absentee voting, there are large numbers of problems virtually every election cycle in various jurisdictions.
> and convince whoever lost the election that he indeed lost
This isn't even close to accurate. If there is a wide margin in a result, it isn't officially contested, even when we have evidence of corruption. When the margin is small, and a recount could possibly swing the vote, then the electee becomes unconvinced and demands a recount. (Or when the election result is simply too extreme, and the necessity of a recount is obvious)
>Again, 5,000 independent districts, and every single district manages itself independently. There is no way whatsoever to ensure proper implementation.
Right, so the evidence that the US sucks at implementing paper elections should be used to advocate the implementation of an incredibly more complex system that somehow will implement itself?
>We have a ton of provisions implemented to curtail significant attempts at fraud of paper ballots. And in paper ballot and absentee voting, there are large numbers of problems virtually every election cycle in various jurisdictions.
Most of the world runs these kinds of elections regularly without issue and electronic means only makes this worse. You not only don't make the count any more accurate you also add complexity and enable a bunch of denial of service opportunities.
>This isn't even close to accurate. If there is a wide margin in a result, it isn't officially contested, even when we have evidence of corruption. When the margin is small, and a recount could possibly swing the vote, then the electee becomes unconvinced and demands a recount. (Or when the election result is simply too extreme, and the necessity of a recount is obvious)
All of that is true in the US yes, but again that's because the process is poor enough. Other places have extremely close elections that don't require this. You have such poor confidence in your election process you sometimes have legally mandated recounts on a low enough margin.
Yes, we suck at elections. That's why the article we are talking about is about making our elections suck less.
Using both electronic and paper means we get the benefits of both, and each side's downsides are managed by the other mechanism. According to every expert on the subject it's the most effective means we have right now.
If you would like to compare countries and voting systems, I welcome that discussion, but unless it works specifically for the US, it's not relevant.
>According to every expert on the subject it's the most effective means we have right now.
Citation is needed for this. I know of no expert that recommends this and no argument for this. I've already pointed out how an electronic+paper system would be extremely vulnerable to attack. All you need is for the count to be different between the two for no one to trust your election.
>If you would like to compare countries and voting systems, I welcome that discussion, but unless it works specifically for the US, it's not relevant.
There's nothing about the way elections are properly run everywhere else that wouldn't work in the US. Implement enough voting booths properly staffed and you'll have no issues. If you can't do that you also can't implement any complex electronic system so this discussion is pointless.
That's exactly what I said, the tabulation at at central office would be to verify precinct counts. I'm not sure I see an issue with multiple counts, if they don't come out the same then the system should be reviewed for issues.
Sweden does two manual counts, one at the precinct and one by central election authority. The second count is the real one, but if there are too large discrepancies they would be investigate.
Using US elections as an example is generally flawed because they are usually very poorly run. Proper election procedure doesn't have that failure mode. You run a lot of small precints each with representatives of all parties. The ballot box doesn't leave their sight during the whole day. When the polls close the same people will open the box and count the votes together and since they are adversaries they won't allow any one of them to steal. This is a highly scalable method that's very cheap to run and that also has the extremely important property that whoever lost is also fully convinced he lost.
Using that procedure, two of the largest states in the US have failed to complete counting their votes in time for an election to be called for a particular candidate, several times over the past four years.
Saying we should ignore US elections as an example is totally ridiculous.
The US fails to do this and then has a problem counting fast enough. We should ignore the fact that the US is incapable of running proper elections since we have plenty of examples across the world of well run elections.
>failed to complete counting their votes in time for an election to be called for a particular candidate
This is another example of not running a proper election. If you haven't counted the vote the election is not over. There is no such thing as "not calling in time". In time for what? The news cycle?
> Using that procedure, two of the largest states in the US have failed to complete counting their votes in time for an election to be called for a particular candidate, several times over the past four years
I'm not even sure what “failed to complete counting their votes in time for an election to be called for a particular candidate”; are election results perishable such that of a count takes too long it no longer counts? Specific examples of the phenomenon you are discussing would perhaps be useful.
This was not trolling. This was a failure mode missed in the GP. I believe we need multiple modes of storing counts and ballots, such that one single system can't be overcome.
It seems perfectly reasonable to not count votes that are unclear. It's not a complex procedure to fill in a circle on a scantron, if you can't follow the directions, then too bad for you and your vote and your preferred candidates.
Yes, the US has been able to screw up even paper elections in an attempt to make counting supposedly faster. Most other countries just use a paper ballot with some squares next to the candidates and you mark with an X. Any deviation from that is a null vote because the voter could try to identify himself otherwise. Our elections run smoothly every time and we have well counted results in a few hours at most, faster than the US is ever able to accomplish from what I've seen.
Perception of corruption is about on par with the US in the studies I've seen. That's mostly unrelated to quality of the election process though. There the US is quite a long way back. The Bush/Gore mess would never happen here.
Agreed. And to add to it, we should switch to a system in which we have:
* 100% mail-in paper ballots, like Oregon -- no long lines, no games about which districts get which machines, no polling place intimidation
* Mandatory random-sample hand recounts (this has been shown to only need to be on the order of thousands of ballots out of millions for most races, given the statistical confidence you get with it)
I was expecting that response. The only solution, then, is to ban all mail in ballots. Right now California, for example, has optional mail-in voting. Wouldn't you expect that anyone who can be coerced to vote some way could be coerced whether the mail-in voting is optional or mandatory?
I'm not arguing that mail in ballots don't have benefits that warranted the increase in coercion risk, I'm just arguing that mail in ballots cannot be viewed as a mitigation of coercion risk compared to the way US in-person polling stations are run since they exacerbate, rather than mitigate, that risk.
Your vote and name are linked together when you mail in your ballot. Ergo, I could figure out how you voted if I were an unscrupulous postal or poll worker.
You wouldn't want your colleagues at Google knowing you voted for Trump now would you...?
With a mail-in ballot, it's possible for someone in a position to apply coercion/intimidation to compel you to complete, sign, and mail your ballot in their presence; ballot secrecy is a strong protection against intimidation/coercion, and mail-in ballots compromise that protection.
The privacy of the voting booth offers substantial protections to a voter. You might threaten or bribe me, but I can vote as I please, because you can't ever know how I actually voted. Many of these protections disappear if your ballot paper is delivered to your home and returned by post.
Husbands can coerce their wives into registering for a postal ballot and then vote on their behalf. Religious leaders can coerce their followers into registering for a postal ballot and handing it over to a chosen candidate. A corrupt care home worker could register dozens of residents for postal voting, then sell their ballot papers. Migrants with a poor grasp of the English language can be tricked into giving up their ballot paper. Poor people can be offered cash for their ballot paper. Postal ballots can be stolen from postboxes and sorting offices.
All of these frauds have taken place in the UK; local election results have been nullified on more than one occasion due to endemic fraud.
While my intuition would be that incidents are fairly rare for social reasons, intimidation/coercion with postal ballots is essentially invisible, until and unless people come forward and complain (which intimidation and coercion itself can be deployed against.) So, even if it was common, the elections would look smooth by the things we usually look at.
It's also a precaution against future regressions: you want to design protections like this for the worst political climates, not the best, so you'll be ready if e.g. an employer starts thinking they can get away with abuse during a recession or a union leader decides desparate times warrant desparate measures.
It's much easier to prevent that kind of thing rather than repair the damage after the fact, similar to the problems we've seen with gerrymandering.
Coercion is a concern in communities where there's a power imbalance in the home. Consider, for example, an overbearing husband coercing his wife to vote in a particular manner, or just taking her ballot and voting it himself (and coercing her to sign the back of the envelope.)
An option considered in one state (Utah?) was to allow mail-in voting, but the mailed ballot could be invalidated if you stopped into a polling place and voted. It adds some complexity but reduces the absolute chance of coercion.
In the current system people can intimidate you as much as they like but they can't follow you into a booth. They can't inspect your ballot after you've marked it.
Only you know who you actually voted for. That's the point.
Unless, of course, you are asked to provide evidence of your vote with the camera you are likely carrying with you into the polling booth.
I'd guess mail-in ballots increase participation at the expense of some coerced ballots. Surely the net outcome is positive. On top of that, it helps to remove the chance for the use of intimidation at the polling stations. I remember that being an issue last election.
Somebody else mentioned that some areas have a system where if you show up in person, your mailed ballot is invalidated. That seems like a good safeguard.
The bottom line for me is that I think the option of mailing ballots increases participation. There may be an increased number in coerced ballots as well, but I think the net result is postitive.
Filming yourself could easily be prohibited. In France, I'm pretty sure that the voting officer wouldn't let me put my ballot if I was filming myself doing it.
Canceling mailing or e-voting ballots when voting in person can be countered by requiring that the person hand over his ID card for the vote duration.
The idea that a vote might have been bought is a dangerous one. It's dangerous even if votes buying are not proven. I'm still not convinced about e-voting for this reason. There should be absolutely no doubt on the sincerity of a vote.
I've never not voted due to intimidation or coercion.
Long lines or inability to get to the polls on time has contributed to my not voting. Plus it's great to be able to sit with a ballot over the course of a night or two and really think about what you are going to choose. Being at the polls with people waiting behind you applies some pressure to pick the fastest option - ie choose all Democrats or all Republicans (the machine I was on had a shortcut button for that).
This is an excellent point. Also sometimes during an election, there are referendums or other races for positions that are overshadowed by the main race, e.g. Trump v Clinton, making it hard to make an informed decision on the spot like is possible when at home with access to a computer to research.
When I voted in Oregon, they mailed a newsprint book with the ballot that had a lot of text about each item with supporting and opposing groups contributing. You're right though that these days, a website would be a better way to do it.
Last election I voted in Texas as people voted quickly. It seems like they either are only voting for one or two races or they are just pressing the button that selects all Republican (I live in a red area) candidates.
I've never heard of a district that didn't make ballots publicly available some time before the election. If you don't know what is on the ballot before going to vote, it is your own fault.
I agree, however, those of us who understand the importance of paper ballots are having a hard time selling it to the public. We're coming across as Luddites. I'm impressed that the New York Times is promoting open source software; it's a small step in the right direction. Perhaps the message we should be spreading is that paper ballots are even more "open source" than any computer software. With paper, poll workers can prevent hacking by simply observing, using physical locks, and communicating with other poll workers. Software (open source or not) only seems to complicate all of that.
That's why I find the HN discussions on this so important. If the actual technology people can't see it the rest of the population has no chance. The rule of thumb, that almost never fails, is that technology always brings advantages and quickly. Sometimes it even steals their jobs. If we can get a broad agreement on the message that "trust me, I implement new technology all day every day and electronic voting is a solution looking for a problem and if your local politician tries to sell you on it he's most likely trying to steal the vote" we can do quite a bit.
Voters know in their bones that the voting computers are bad. Voters are not the problem.
Returning to paper ballots means less cheddar for cronies. Happily there's a workaround. Postal balloting (close the poll sites)!
Ballots are digitally scanned as they're received at central count. So it has all the downsides of the touchscreens with all new vulnerabilities (undetectable alterations, signature mismatches, preview election counts, voter coercion...). But voters get the comfort of paper and it keeps the cheddar flowing for the cronies.
I remember someone saying here that a key shift in framing in Germany was to call them voting computers rather than voting machines (since the broader public understands that computers can be hacked). I think we might adopt that as well.
I guess it should be pointed out that voting computers have effectively been banned by the constutional court in Germany in 2009, probably in part as a result of that framing.
As you know, election administration is more than tabulation. Maps, candidate filings, voter guides, voting records, designing ballots (artwork), poll books, canvasing reports, etc.
I traveled my state advocating open source software. I called it "citizen owned software). It's a slum dunk with voters (tax payers). And it's how things used to be.
The gatekeepers (blockers) are the election admins who outsource to their cronies. They even invent make-work just to have more cheddar for their cronies. Like signature verification and ballot tracking.
Open source voting software will never replace proprietary voting software, because open discussion of voting software security will reveal that it's impossible to build hack-proof voting terminals.
You can stuff ballot boxes, that's where the term comes from. Nothing is "hack-proof."
I think it's funny that people are freaking out on HN about this. The hacks at Defcon all took a long time to do, and I believe all required keys to the machines, and all were done on older voting machines. There has been no evidence of people hacking machines during the elections. Stuffing ballot boxes and other forms of voting fraud have been around for a long time, and nothing we do is going to stop it 100%.
Also voting machines generally have paper copies that print off the back of the machine that are anonymized but can be matched if foul play is called into question, at least in my area. Couple that with monitors that stand near machines or walk around and I feel pretty comfortable with electronic voting.
The only plausible hack would be an inside job, but I too find this difficult to believe. It would takes tons and tons of people to hack the machines if it required physical access. You'd have to hack ever machine, and even when you were done there are so many districts it would be nearly impossible to swing the election in any meaningful way.
The point is that paper ballots are harder to tamper with. To the point that at scale it becomes impossible to rig an election in the vast majority of cases.
Some things don't need a technological solution. Pen and paper and thumb dye generally work just fine.
And what seems most important to me, the failure modes are obvious.
Any school teacher who's collected tests from naughty 10 year olds can imagine all of them. These are the people who volunteer to show up and watch the process, in every district.
It's not enough to have a very low rate of cheating. The legitimacy of the process depends on this fact being clear to everyone. The fewer over-educated specialists you have to trust to be sure of this, the better.
When you say the hacks took a long time, are you talking about the time to study and understand the machines or the time a prepared tampering would take?
Let's think through the process of "ballot box stuffing".
You'd need to put enough ballots in the box to sway the count in your favor, while being watched by multiple people from both "sides" who all don't trust one another.
But let's assume you are able to do that somehow (hey, maybe you paid them all off?). Great! You've swayed the counts in one precinct... In 2012 there were 2712 voting precincts in Virginia... So to sway one state, you'd need most likely thousands of people working together and not one of them can reveal the whole plan. And that will get you one state, so multiply it by 50 to really sway an election (yes, i know you wouldn't need all 50, but ether way it's still way beyond realistic). At that scale it seems like it would be easier to just convince people to vote with you.
And you'd need to do all of that without leaving any kind of paper trail. Paper costs money, printing costs money, it's not going to be cheap or easy to hide making all those ballots. Someone is going to notice. And all it takes is one slip up, and it's all over.
Nobody is saying pencil+paper voting is perfect, just that it's the best thing we have at scale, and it's extremely difficult to "hack" without someone noticing.
It's important to note I think that the article is talking about a party primary not the actual election where the increased scrutiny and number of interested parties increases several times.
Party primaries generally happen when other, more local offices and initiatives are in the ballot, and often the primary for the other parties as well. It is exceedingly rare (at least in California) to have a single item ballot. It’s arguable that the local / state items are more important to most voters than the party primary, so there would still be plenty of scrutiny.
That varies a lot state by state. Here in NC for instance pretty much everything is on the main November ballot and the primaries are just primaries. We don't really have things like ballot initiatives or referendums though.
> In 2012 there were 2712 voting precincts in Virginia... So to sway one state, you'd need most likely thousands of people working together and not one of them can reveal the whole plan.
But you are still talking about thousands of people, MAYBE hundreds if it's a close election and you are really really strategic.
With something electronic, at the very best you end up needing the same number of people at the same amount of locations. But this time instead of having to stuff a bunch of ballots into a box without anyone seeing you, you just need time alone with a machine at any point before voting or even during voting. (and I'll honestly admit I don't know which of those is easier, but that's before we get into all the other issues with electronic voting)
I think there is a possibility that electronic voting could be better at some point in the far off future, but in reality and right now, the benefits don't even begin to outweigh the negatives.
90 minutes or less, from unprepared attendees, some of which didn't even know they would be seeing a voting machine that day [1].
> Also voting machines generally have paper copies that print off the back of the machine
This wasn't always the case, and a few bad elections happens from 2004-2006 as a result. There is also not a guarantee the voter has checked/understood the paper receipt. Overall the concept helps quite a bit.
> The only plausible hack would be an inside job
Polling station staffers are volunteers, and there are lots of them. Not particularly difficult.
Voting machines themselves are known to store results in unencrypted, easily editable MS Access databases. This allows editing/suppression of votes en masse with no trail. If said attacker can find a way to also tamper with the paper receipts (print a different result that the voter doesn't notice, or don't print at all, or make the printout unreadable), mass shenanigans could ensue.
All this just to say, "hey, it uses paper for verification on the backend, so it's fine." But we're paying companies to develop insecure machines, training voters to trust them, and bringing the integrity of our democracy into question along the way.
Just fill out a piece of paper. It's not that hard to count the votes.
Of course there will never be a perfect way. However, I have a feeling that by multiplying voting methods, fraud impact can be contained. Mail vote increases the number of people voting and have the same positive effect (drowning a fraud in valid results).
I doubt this is the case at least in the US. Polls are staffed locally by volunteers who are quite often members of the local community. Others can (and do) stay and witness the counting of votes when polls close. I think it would be pretty obvious if what got posted didn't line up with what you witnessed first hand just a few hours before, especially when you can walk down the street and ask your sister what she counted.
I believe that in the UK, the number of ballots given out at the polling station is strictly counted, and when the ballot box is opened, the first check is that the number in the box matches.
I'm not sure what they do if someone has taken a ballot but not put it in the box.
> impossible to build hack-proof voting terminals.
Suppose they do build a hack-proof voting terminal - how can you tell that's what you're voting on, and not a compromised machine with identical appearance? De-cap all the chips and put them under an electron-microscope?
In the past, I was a strong proponent of digital networked voting systems in general, as a means to bring us closer to direct democracy. I had hoped that we would be able to vote on specific issues, continuously, with little ceremony or friction. I thought that we might be able to make it as simple as hitting a +/- X button, where X is your current share of the decision (you have a pool of votes for many subjects).
The thought was, that even though a system like this could not be understood by current people, future people would have a reason to learn the technology, as they learned about vehicles and the web, because it shapes every facet of their society, in real time. It would also give us a clear case for legislating software and hardware security standards. Not my area of expertise, but do you think that standards could be devised and mandated to make hardware verification feasible, at least for medium-tech applications?
So, that's how honest people desire technological progress in the voting system. Now, I can see that we need to keep these endeavors low-key, while we cross the gap of failure between "interesting" and "robust". It could take us generations to cross that gap. Let's just keep all this experimental stuff in the digital currency / digital contract field, for now, and tell the dreamers to be patient, rather than insisting that we abandon the whole idea.
You get a transaction id for your vote when you vote, and you can verify it against the open ballot. If they don't match, either the machine or the ballot was hacked.
The public ballot is much easier to secure, since you can just use a trustless ledger. Spinning up a ton of processing power to protect the voting process day-of elections isn't infeasible.
A natural extension of the industry requirement for crypto implementations to be open-sourced. How can you rely on the security of a system you cannot inspect? The trouble is that security through obscurity is the physical standard - you can't keep a lock everyone knows the cut for - so the non-technical approach is sticking with what you know.
It's disturbing that a major corporation has the lobbying power to back that kind of unsafe position for its own gain, though.
Security through obscurity is a factor in physical security, but locks are really not an example of that. The construction of most locks is well documented, or easy to reverse engineer by buying an identical lock. The thing keeping a lock secure is the key, which is a regular secret just like any crypto key. Nobody would claim ssh does security by obscurity because anyone who knows my key can get into my server.
Well, I meant more that, in contrast to an asymmetric keypair, you can't leave a criminal alone with a lock for as long as you please. With enough time to gather information about a specific lock, someone can eventually use it to get a key - no amount of time with your public key will, at present, give you its private counterpart. The lock itself is not inherently secure in a way that having it won't compromise the key, so its security comes somewhat from the obscurity of the internals of each lock.
It's not an exact metaphor, I admit, but it's relevant to the fears of OSS - people think leaving all your public information on the table is enough to compromise the system, because in a physical model, it effectively is.
There are lock design where short of brute-forcing you can't gain any useful information. But in a way locks are hard to equate to digital concepts because typical locks are laughably insecure and can be bypassed with a $30 Amazon purchase and a few seconds of time on the lock.
They're not actually that hard to count, they leave a hard to alter record, they require more effort to fake, etc.
The under investment in voting and the focus on mechanizing it has been a disaster in the US and is teetering on the edge of being incredibly dangerous to the well-being of the country.
Electronic voting has none of the features we want and all the failure modes we don't. Return to entirely paper.
(For what it's worth, my area seems to basically use those test scanning systems on paper mail-in ballots. That's still more electronics than I like involved in the process, but is much better than fully electronic and we might be stuck with that as long as we use mail-in ballots -- which is a separate debate.)
California is almost entirely paper ballots across the state. Moreover, 1% of ballots are hand-audited to verify the integrity of the electronic tally.
Years ago there was a push for online voting. The state commission came away from that study suggesting a return to paper ballots, recommending to ditch even the new electronic voting machines that were becoming popular, because of the lack of credible, verifiable security. I think paper ballots are effectively required by law, now, with exceptions for accommodating people with disabilities.
> That's still more electronics than I like involved in the process,
I think most places that use these will use an additional count-by-hand pass afterwards. If someone is tampering with these count-only machines it's likely that they will be discovered and prosecuted.
Even if they use open source software, what guarantee is there that version of the software deployed on the machines is the same as one people can inspect?
You could have multiple independent inspectors do such certification provided state/federal laws are strong enough to discourage bad actors, but there's a bigger problem than that: how do you guarantee that the hardware is the same? You don't, especially if malicious State actors are involved.
Even in the case of inspecting software, you'd have to guarantee that the systems are secured after inspection and not tampered with. That's an even more difficult problem.
You need a system for point of use verification of system integrity by the voter as they are voting.
It also doesn't need to be "simple enough" for anyone to do it. You just need a system in place to enable voters to verify the authenticity of the machine (a relatively easy way is a public voting ledger where the voter can match the id the machine shows with what shows up in the ledger a minute later) and those with the know-how will do so.
Software can be verified as such if backed by the proper hardware, but the hardware itself can't be verified in such a manner. You can't produce a signature of a hash of the atoms in a computer.
I don't think we should encourage mail-in voting. It opens the door to all kinds of voting fraud.
A major point of the polling booth is that nobody can see what you put on you ballot, and you can lie to anyone about it. No family member can pressure you to vote in a certain way, and if somebody offers you money in exchange for your vote you take their money and vote for somebody else. And if your employer threatens to fire anyone who votes for the wrong person, you just tell them you voted for their favorite candidate, they can't tell the difference.
Mail-in voting is nice for people who physically can't visit a voting booth, either due to disability, sickness, or scheduling problems. But it should never become the norm.
Paper and pen is the way to go. It provides a verifiable record of votes cast and means you need physical/personal access to to tamper with the result. That also means people with no special skills can provide security for all segments the voting process.
Give each vote a uuid. Give the voter a receipt with their uuid and results. Post the full results online by uuid; voters can verify the recorded online result is faithful.
Label the online results by voting site. Keep a count at each site of the number of people that voted. Verify this count more or less matches the results posted online.
That would result in scenarios like this: "I'll pay you X amount for a 'Yes' UUID". It's far better to keep the result anonymous.
As for the counts, where I vote my name is recorded in a book and then I cast my ballot. So it should be possible to verify that the book tally and vote tally match.
I thought that's how democracy currently operates: you vote for me and I give you xyz. Now, combining this with a Blockchain and actually getting paid... hmmm...
One way to do it would be to present the user with the number but not give them a physical / digital certificate of the UUID. If they are all public, the conspirator trying to buy votes cannot trust that their client isn't just looking up UUIDs and giving them a different one.
You can write your identifier down, but you could also go online and look up any other identifier you want and use that one instead. The public ledger results could be timestamped so you can correlate your vote with the on chain results, but given a large enough election thousands of votes should be coming in every <unit of time the ledger uses> and you could pick any one that voted the way your sponsor wanted to claim to be your own.
It is only a problem if results don't come in in real time I think. Trying to photograph the display would be just as much of a problem as taking a picture of your ballot today. The broad point is to convey the UUID in the only untrustable memory store, the human brain.
I guess I'm not so worried about the "I'll pay you X" stuff vs. outright fraud. (And it already happens, anyway -- I had a friend who volunteered at a voting site here in SF for the last prez election, and he was quite surprised by how many elderly people came in, confused, just asking how they could vote "how they were supposed too".)
But don't they all already have a uuid - called driver's license? And they are verified against some database if they are allowed to vote. Could not you encrypt the actual vote itself but make the rest transparent?
A UUID could let one verify that one's own vote was correctly recorded, but it does nothing to prevent stuffing the ballot box, which seems to be the more normal way of swinging an election.
My defense against adding new UDIDs was that each voting station is reporting their total # of people who voted, and you have the station associated with the UDID.
If you add new UDIDs, you'll throw off those numbers.
A voting system is not just the statement to use UUIDs, oh and to use some other check when you are shown that UUIDs are not complete. There is a lot that goes into actual large scale system design.
P.S. You keep writing "UDID", but you really mean "UUID". The UDID is a specific implementation of unique device identifiers. They have nothing to do with individual people.
Strange, it seemed specific enough to me that I felt like I could implement it!
Your only actual criticism was
> Unfortunately, this system is neither trustworthy nor correct, as adding new UUIDs to the rolls defeats the system.
Which I explained was defended against by having counts at each voting site which could be compared to the online results.
Your (non) response to that was non-specific attacks on the non-planness of my plan as a whole.
Even non-planness attacks should be able to be made specific. You should be able to point to a specific unaccomplishable thing or missing detail... (Perhaps you could complain that I haven’t specified how to collect and save the voting site voter count tallies, which would be fair, but also seems solvable...)
I already mentioned the types of things that you didn't specify. You didn't specify any architecture, components, interactions, interfaces, etc. You didn't specify any protection mechanisms or state what threats would be protected against.
I'm not going to do your work for you. You might find people willing to work with you, but the odds are slim until you have a unique idea or something more than a single sentence. Literally thousands of people have discussed UUIDs, including the two links that I sent to you.
It's a high-level idea, dude. You made one specific critique, which I refuted, and now you're criticizing the idea as uncriticizable because it doesn't have enough of the details specified.
As others have said, this can lead to vote buying or voter intimidation ("vote for x or I'll break your face")
Spitballing here: What if you get the receipt with UUID and your choices, then at a separate kiosk only in the polling ststion you can enter your UUID to view the full results as posted online. Along with your UUID and results, a hash of the two is displayed and can be printed onto your receipt. Before leaving the station, you must detach and dispose of the plaintext voting choices, but you can hang onto the UUID + hash.
At any time in the future, you can enter your UUID into the site, which will compute and display only the hash, giving you verification of no tampering but not disclosing any results to nefarious third parties.
Well sex sells, right? So we say that the hash is the child of your UUID and your ballot choices, and that someone who voted the same way you did but has a different UUID will have a different-looking child. Same goes for if you had voted differently than you actually did: the kid would look different!
You did say "a good clean way" though, so perhaps that analogy is inappropriate :)
Maybe it could be explained in terms of one of those "superhero name generators"[0], where the initials used come from your UUID and the superhero name chunks come from your voting choices. Sure, a hash is a lot more mathematically complicated but the principle remains the same (to the point of the possibility of two different UUIDs and voting choices ending up with the same hash, just as anyone having the initials DJT will become The Incredible Golden Tornado).
There was once a GNU project for electronic voting (https://www.gnu.org/software/free/), but it was stopped after realizing they were trying to do was almost impossible to do and changed the direction into recommending to not use electronic voting systems at all.
The number of comments here that assume paper ballots are inherently unhackable is disturbing. Paper is a technology like any other and subject to being manipulated by clever folks. The only way to have secure, trustworthy voting systems is to have them constantly being designed, updated, understood and publicly auditable. The only downside inherent to digital vs paper systems is that they're more complex and harder for people to understand and therefore audit, but there are plenty of upsides and the downsides can be mitigated through education. Open source is absolutely important for the auditability of voting software, but the same openness and transparency is just as vital with paper. tl;dr, it's not hard to hack paper!
True, but it is significantly (as in several orders of magnitude) harder to hack paper at a national scale than it is to hack an electronic voting record at a national scale.
Hacking paper requires people physically interacting with that paper to subvert it. That amounts to 1+ person per box of paper votes.
Electronics just needs the one person who discovered and exploited the vulnerability.
Indeed, my back of the napkin was ~1+ conspirator per ballot box, assuming many boxes per polling place.
Making a conspiracy like that work at US scale would require a small country's worth of conspirators which really, really wouldn't be able to hide from the light of day for very long.
Except we aren't talking about independent or private actors. We are talking about the Russian government. Infiltrating and manipulating nationwide votes becomes a real possibility with resources of that scale.
It would take an immense amount of reorganization of trust, but open hardware verifiable (both in person and on some kind of trustless ledger akin to a blockchain) voting systems would be more secure against such national actors, because there would be no back room to burn the paper in. If the machine is public and you can trust it, and you can trace the results nationally to insure the results were accurate, you have more security than you have now.
That's total out and out bullshit and I'm surprised anyone dared post that on here. We're intelligent people you know and the "Muh Russia" narrative is not only dead, it is also buried. It was an out and out lie that only got traction due to the media being completely partisan and focused on creating outcomes instead of doing their job which is to objectively report on current events.
Also, you can't just stuff a ballot box--the number of people voting has to match the count of registered voters, so if you are stuffing you have the problem of also dealing with somehow getting rid of the legitimate ballots.
The important difference is that paper "hacking" scales as O(n) while computer hacking scales as O(1).
If you hack election software, you can change thousands or millions of votes as easily as one. The physical nature of paper means you have to work for each ballot.
That difference may not be accurate, though. It's assuming there is a way of networking between the machines and that code will be portable enough to affect N number of machines. I don't think either is necessarily true.
Even for the paper side. Most paper ballets are counted by machine so they could easily be tampered with at the count or when they're printed having a similar scale.
Hmm, not off hand. I'll see what I can find. It was my understanding from the hanging chad situation in Florida years ago that, at least in the states, most are initially counted by machine.
We count them twice by hand here in Sweden and we get the preliminary result just a few hours after the polls close, so I do not see why one has to use a machine.
And as you add more manpower to your attempt to defraud a paper-ballot election, you increase the number of co-conspirators. As you add co-conspirators, the likelihood of being undetected drops dramatically.
It's quite common to drop handfuls of paper. And really, the grouping comes down to transportation issues as well; when you move ballots in boxes and trucks, 0(n) becomes less accurate.
There were numerous issues with the security, packing, and handfuls of paper in 2000.
The mainstream digital voting method, that is a digital only ballot totaling everything is basically impossible to audit. It shouldn't be used anywhere.
Yet, there are ways to make digital voting auditable. There is an inherent conflict between a system being auditable and anonymous. You can't completely satisfy both, but paper satisfy none, so there is plenty of margin for improvement.
First, you've omitted a major downside of digital vs. paper systems, scalability. Attacks on paper systems are much harder to scale, are more easily detected and more readily audited by staff who need no IT training/experience. There are other downsides, but scalability is a good example.
Second, the "plenty of upsides" are mere niceties. I don't know of any must-haves unique to digital voting systems. What do they offer that is worth their diminished security compared with paper ballots?
I put security of our electoral process at top priority. Given the difference in attack surfaces of digital systems vs. paper ballots, I can't see a case for the former.
The continuing parade of breaches of supposedly super secure systems indicates we don't yet know how to code systems for large-scale public applications where security is absolutely essential. Paper ballots are the best we have for now.
I think decent paper ballots combined with machine counting, combined with voter ID verification (yes, I went there), combined with some kind of reliability program for poll workers would be a full spectrum kind of solution. It's not one thing that is breaking down here, it's several.
We saw with the Wisconsin recounts that only a couple cities had questionable issues and not enough to change the outcome (this time).
We saw in Michigan and Pennsylvania recounts that something more troubling was going on with Detroit and Philly and the real truth got hidden from public view when the recounts were abruptly ended in those places. I think there was evidence for fraud in certain Detroit precincts, but since that fraud involved Democrats, the media was silent on the issue. It got swept under the rug very fast.
I bet if we look harder we find fraud in Dade County, the state of Nevada, the state of Colorado, and also likely Arizona. Lastly, if we are going to be completely honest, California is allowing illegal immigrants vote in large numbers. Mind you, I'm not anti-Democrat, I'm just anti-fraud.
Verifying ID is a huge step towards ending most of the problems we have. The rest is stopping ballot stuffing and corrupt poll workers tossing out ballots.
> combined with voter ID verification (yes, I went there)
In what place in the US can you vote without ID? Where? Point it out to me. You can't.
To vote, you already have an ID. It's called a Voter Registration Card. To get one, you generally have to cough up a bill, lease, etc. originally and then vote continuously over the years.
At this point, relative to "voting fraud" (the only thing "ID" will solve), you have:
1) No evidence of significant voting fraud anywhere (we lose more ballots to mismarking)
2) Significant evidence of partisan disfranchisement
3) Leaders having been caught ON AIR saying that disfranchisement was the whole purpose
Do you need someone to run up, kick you in the nuts, and yell "IT'S ABOUT DISFRANCHISEMENT" 3 inches from your ear before you get the message?
Now, if you want to talk about election fraud where the counting of the ballots is suspicious, we can chat.
> In what place in the US can you vote without ID? Where? Point it out to me. You can't.
Sure, it's almost everywhere.
For example, I recently voted in the 2016 presidential election. I voted in San Francisco. I didn't have to provide ID. I was allowed to vote despite claiming not to remember my own address. (Which I didn't, because I hadn't lived there for a few years. Voting continuously is certainly not a requirement.)
The normal procedure is that you go to the polling place, they ask you to point yourself out on their list of registered voters, and then you vote without authenticating your identity in any way.
What happens when someone else shows up and points to the same name? I think what should happen is that it should ask the second person for proof and if they can provide it, the initial vote has to be discarded. But how? How do we know which vote is by the first person?
I assume we don't want to keep track of who voted for whom (secret ballot).
President Obama was right when he said the fix to problems in our democracy is more voter participation. Imagine if close to 100% of those eligible to vote, registered and voted. Voter fraud would be insignificant.
One thing that I think is overlooked with digital is the ease of it being replicated and backed up. Paper ballots can be destroyed.
I really like the systems where there is an original easy to use paper ballot, that gets fed into a scanner for immediate counting with the ballot being stored securely in a box below the machine. It seems that the ballot could also have a scanned image stored for posterity.
At that point all the digital information can be immediately backed-up, replicated, and so on. It seems like it's the best of both worlds...
No one has indicated they're unhackable. The argument is that ballot stuffing is pretty well understood how to mitigate enough that it's not a factor in altering outcomes.
You don't even have to modify the paper often. All that's really needed is for observers from any interested party to be allowed, which they are in the US. Then to affect anything above the city level an attacker has to bribe or coerce hundreds of people to turn a blind eye to things against their own political interests. They can watch polling places to spot ballot stuffing and counting places to spot count issues/fraud.
I'm not sure why everyone is acting like paper ballots are fool-proof. Open source could be just as fool-proof if not even more so. With hundreds of thousands of people checking the software, and all updates there's not a lot of room to sneak malicious code in. With paper, you don't have many people overseeing the entire process, and there's a lot of room for interference.
I have two open-ended questions on the subject of technology in U.S. voting.
(1) Why doesn't our electoral system require public disclosure of each voter's record? What would the ramifications of publishing each voter's identity & ballot online be? My thinking, like other comments here, is that a transparent voting system would make results more easily verifiable, if not easy to verify.
(2) At what point could we transition toward more of a democracy (in contrast to the representative, republican system) through the use of digital voting, which has a lower "barrier to entry" than turning out to a polling center? Particularly on nationwide issues like healthcare, I presume there are relatively few technological barriers to letting every citizen vote individually on a bill and immense political and social consequences. I can't fathom the outcomes -- do you know of any discussion of such a system?
Non sequitur: I've always wanted to see a "name brand" professional sports team run, down to the minutiae, by online fan voting. I know it's out there in small leagues already.
(1) Things are crazy right now. As an example that is relevant for the HN audience, Republican voters would feel the wrath and hysteria of Liberals in San Francisco who would kick them out of companies or demand their dismissal. The same would happen to Democrat voters in some Republican stronghold in a Red state.
(2) Probably not in a long time in the US. The system is built under the assumptions that you can't trust voters know what is good for them, let alone what is good for the country overall.
(1) What if we gave everyone a voter uuid that they could verify on a website where hundreds of millions of other voteruuids and votes are posted for verification
Yes, this is an excellent idea. I had read somewhere (other posters here make this point) that we could give this UUID to each voter. Then, we could give voters a way to verify their vote in the final tallies. This way, if enough voters see their vote has been changed, we could detect government interference, hacking, or other forms of fraud.
It also enables the local political machine/union/gang to come to your house post election and force you to show that you voted they way they ordered you to vote on pain of pain.
Not allowing people to photograph their ballots, to vote in public, etc. is a protective measure for the voter making it difficult to prove how they voted.
I'm pretty sure 'no one' would remember their random UUID so they'd have to be written down or recorded somewhere and whatever form that would take would be what someone would demand you produce if they wanted to know how you voted.
You're suggesting playing the lottery that some random uuid will have voted the way the malefactor has ordered you to vote?
It's a real issue. There are lots of people who have jobs that they use to support their families where they have to deal with organizations that they disagree with politically. Currently they can pay lip service in public, but vote their conscience in private. Making how people voted public record would affect a lot of people. Substantially more than, for example, the number of people who would be inconvenienced by universal voter id laws.
The hole in this system is that there is still no good mechanism for verification, at least in my eyes. What is to stop a tamperer from creating UUIDs not associated with a citizen? That's why I would consider tying to a person quite publicly.
At the same time, perhaps such a system reduces the surface area for bad actors. Now, perhaps, just the registry/database of UUIDs is a primary target.
The trend of wanting to give every citizen random ids tied to their identity is very scary. Also 'WE" won't give anyone anything. It will be a registration with a government agency that will eventually lead to their rights being violated by the govenrment at some point in the future. Why is it people want to do the government's job of infringing on rights with some faux altruistic intent.
Hmm, great point I did not think of. Doesn't the government already know your identity and voting record however? Not that that is not already scary, but if the point is to avoid fraud, then it is not incrementally scarier from a privacy perspective? Not that that is not depressing that we have to look for "holding the line" instead of reducing government's visibility into people's actions.
how many promises of "no personal information will be stored" have we, as people in various levels of the tech field, know for a fact is a tricky worded lie.
If the voter can prove that they've voted some way, then their spouse/boss/landlord will just demand that they show their record of voting the way they wanted you to. This destroys the secret ballot.
On 1, secrecy of ballot is fundamental to a open democracy. Otherwise, selling your ballot becomes very easy. Without secret ballots, there's no market for votes, because you can't verify I didn't just take your money and run.
I don't understand how one couldn't see this as an obvious issue the way, especially today's youth treat discourse on any level wether political or social. The way people are being deemed racist, nazis, fascists, problematic and one of many other terms that have been trivialized because they don't understand how to disagree is scarry. To hand over that info tied directly to you is the most "problematic" suggestion of all. The discussion in this thread is disturbing.
In Denmark it was public who voted for what until around 100 years ago. In the first secret election where employers, landlords and other people in power couldn't see who their subordinates voted for the workers party got markedly more votes.
Think about it, it's easy for an employer to say that he will only employ people who voted for X, a landlord that will only take in tenants that voted for the right party, or even family members that will make sure that everyone votes along party lines.
Interesting. Sure, voter intimidation is particularly possible w/ public information, but I wonder why voters should be any less accountable for their decisions & actions than elected officials. Do not both owe some sort of responsibility to the country?
Open source voting software is not sufficient. Paper ballots are better, but I suspect that electronic + verified paper receipt + an audit process is a fuller solution. Paper alone can be more easily locally subverted, electronic alone can be more globally. But if you have to alter both an electronic record/reporting and the paper ballots in a way that correlates then you have a better resistance than either paper/electronic alone.
Haven't we gotten past the "open source == secure" mindset yet? Yes, open source software can be audited. But secure software is also really really expensive. "With enough eyes, all bugs are shallow" has been pretty well repudiated. Finding security bugs and fixing them in open source products is exactly the sort of drudgery that people don't tend to do on their own; it's not fun like adding new features is. Open source is not a silver bullet to add security where other forces are pushing against it. Android is open source, iOS isn't. Which is more secure? I'm not saying that iOS is more secure because it's closed source, I'm just saying that "open source == secure" is overly simplistic.
To nitpic a little bit, much of iOS is in fact Open Source. Darwin and the XNU kernel public repos are updated by Apple after each release of their OSes.
Definitely not as Open as Linux, but not closed source either.
Many open-source projects simply don't have the resources to adequately test their products or provide support. Contrast this with a large company which has the resources and the willpower to provide support for their software. Often the best of both worlds is a large company/organization that dedicates its resources to an open-source product, but that's not always the case.
But this issue is never as black and white as "open-source is more secure." There are many other factors that go into the security of a product beyond its source code being readable. Deciding which factors matter largely depends upon your unique threat model.
I'm not sure about "a large company/organization that dedicates its resources to an open-source product" being the best of both worlds. I mean, maybe narrowly defined, sure. But take one of the better examples of the form, Chrome/Chromium. I'm not sure that a world where we get a free web browser that is used to funnel us all into an ad-driven model powered by an incredible surveillance apparatus is strictly better than a world where we all have to buy our web browsers. There's tradeoffs all the way down. Open source coexists well with some revenue models and doesn't with others, and the revenue models that best coexist with open source have some very significant downsides in terms of how they don't align the interests of the business with that of its users.
I am concurring with you. The point I'm making is that it's a matter of resources and trust, not literal "open source" that matters.
If I trust an organization to put the resources towards properly auditing their software, that's often far more important then whether or not I can personally do an audit. The majority of people and organizations do not have the time or technical skills to properly evaluate software. Whether the software they use is open-source won't ultimately matter.
The "many eyes" argument often falls apart because most of the time there simply aren't that many eyes dedicated to a project. What is the practical difference between Microsoft hiring 100 people to perform security audits and an open-source project that has 100 volunteers? Resources and trust. If you trust the open-source project to dedicate resources to security, and their software fits in your threat model, then use it. Or the inverse, if you don't trust MS and their software doesn't fit: avoid it. The vast majority of the time open-source vs closed-source should not be the main differentiator, but rather a smaller element of an informed decision.
This seems like a problem that requires multiple approaches to fix. Since the election, I've been thinking that a system with these features would be ideal
1. Electronic machines powered by OSS
- Provides fast counting, and potentially better UX in scenarios with large number of items to vote on
- Ability for the public to review the code
2. Machines print copy of ballot that voter can verify before being placed in a secure ballot box
- Provides auditable backup record
3. Machines give the option to print a second copy of the ballot with a unique code. This code can be used to verify selections later via some kind of online interface.
- Gives the user one more check on ballot integrity
- Allows voter to keep voting record anonymous if they choose
I think this would balance pros/cons of pure paper vs. electronic voting systems
I find Rivest's video( https://www.youtube.com/watch?v=BYRTvoZ3Rho ) on homomorphic encryption as voting mechanism quite interesting. It looks more secure than pen and paper.
All user get a receipt which they can verify is same during vote counting.
They themselves can vote count using all others receipt.
At the same time, they can't sell their vote as it's encrypted.
I think a lot of you guys mentioning paper ballots are also missing something very important: what is counting the paper ballots? Is a Scantron machine reading the ballots? If so, the firmware could be compromised to bias results in a particular direction in a stealthy manner.
I have never assumed anything other than that it would be humans, presumably mostly volunteers from the various political parties, doing the counting. That is how it is done in Sweden, and I think also a bunch of other European countries. It worked fine for us before we have computers and it still works. We get a preliminary result within a few hours, and a final result in like 3 or 4 days. And the problem of manually counting votes scales linearly with the population so the size of the country should not matter much.
251 comments
[ 3.4 ms ] story [ 185 ms ] threadhttps://news.ycombinator.com/item?id=14891266
Instead, use open source hardware. Use pen and paper!
:-)
There's no reason to require something that everyone can understand when talking about a different voting system.
IMHO, we should aim to build something (whether using physical machines or using cryptography/mathematical properties) that the various parties in a government can audit and recognize as secure and that leads to a larger portion of the population voting or a cheaper election process.
While many people maybe aren't aware of the security mechanisms of a pen and paper election, essentially everyone can actually understand them if they feel the need to, and that is extremely important. You cannot resolve widespread distrust by putting a bunch of mathematicians on TV who tell the population that everything is fine.
0: https://cseweb.ucsd.edu/~goguen/courses/275f00/abc-chads.htm...
The problem with digital voting is that it needs to be anonymous who votes for what. That makes the problem much much harder.
* it must be anonymous, ie nobody but you should know you you voted for
* it must keep integrity, ie nobody can change your vote
* it must be verifiable by all participants
Paper vote makes it easy to meet all criterions: just keep an eye on the ballot and you will be relatively sure that everything is fine. On the other hand it is impossible to have all those conditions with a digital vote, if only because digital anything isn't easily verifiable by all participants.
One criterion, three criteria.
Same goes with money, these things called crypto currencies are digital money offering various levels of anonymity.
None that don't require printing a paper ballot so the voter can check the correct thing was done. And then taking that paper ballot and putting it in a sealed box. And once you've done that the high-tech bits are irrelevant and you're back to the cheap, safe and easy to use voting system we've been using without issue for decades or even centuries.
"Electronic voting is the reverse FizzBuzz. FizzBuzz tests if you know the absolute basics about technology to implement something extremely simple. Electronic voting tests if you are able to reject the use of technology when it doesn't add any advantage and instead creates very hard to solve failure modes. Voting benefits from the use of the extremely simple ballot and box. It benefits from it not being programmable and from the counting method being something that almost all the population is able to carry out let alone understand."
I have yet to see one that involves a digital voting system. Many of these voting systems are insecure and F/OSS(free and open source) won't fix that. You are giving too many people physical access to these systems at every step of the chain. Many have proposed a "blockchain" based voting scheme, but that takes out the anonymous aspect of voting.
> Same goes with money, these things called crypto currencies are digital money offering various levels of anonymity.
Yes and none of them provides any anonymity since they all at one point or another reveals too much about a given transaction.
With paper ballots, it's really difficult/infeasible to track who voted for whom and is a bit more tamper resistant on a large scale.
edit: a word.
Rivest
The "trust" of the digital money system is because we can have humans unwind any transactions we deem to be "incorrect".
Unfortunately, we can't "unwind" an electoral transaction without giving up anonymity.
Problems with paper voting:
Problems with electronic voting: Actual way voting is handled The biggest risk is not the mechanism, but the way it is implemented: 5,000 independent jurisdictions all have completely independent ways of choosing how to vote, and then completely independent methods of implementing it. [3]This[1] testimony from 2001 includes a good history of the voting process and the reasons why it is handled the way it is. The parent[2] directory contains 16 years of commentary articles.
[1] http://homepage.divms.uiowa.edu/~jones/voting/congress.html [2] http://homepage.divms.uiowa.edu/~jones/voting/index.html [3] http://homepage.divms.uiowa.edu/~jones/voting/PutinTrump.sht...
I remember this in San Francisco in 2001,
http://www.sfgate.com/politics/article/Scavenged-ballot-box-...
With regard to machines, many machines have recorded thousands of extra votes. Some machines run out of memory, and end up losing thousands of votes (those machines did not have paper trails). There's been plenty of problems with these machines - ones that can be fixed. But the fact that every precinct decides independently what to do and how to do it, there is absolutely no way (in the US) to provide a uniform solution to the problems of paperless voting.
This would mean there is a digital record on receipt of the ballot and the ballot itself. This seemingly would reduce the potential for fraud in both systems.
Again, 5,000 independent districts, and every single district manages itself independently. There is no way whatsoever to ensure proper implementation.
> have no significant fraud possibilities
We have a ton of provisions implemented to curtail significant attempts at fraud of paper ballots. And in paper ballot and absentee voting, there are large numbers of problems virtually every election cycle in various jurisdictions.
> and convince whoever lost the election that he indeed lost
This isn't even close to accurate. If there is a wide margin in a result, it isn't officially contested, even when we have evidence of corruption. When the margin is small, and a recount could possibly swing the vote, then the electee becomes unconvinced and demands a recount. (Or when the election result is simply too extreme, and the necessity of a recount is obvious)
Right, so the evidence that the US sucks at implementing paper elections should be used to advocate the implementation of an incredibly more complex system that somehow will implement itself?
>We have a ton of provisions implemented to curtail significant attempts at fraud of paper ballots. And in paper ballot and absentee voting, there are large numbers of problems virtually every election cycle in various jurisdictions.
Most of the world runs these kinds of elections regularly without issue and electronic means only makes this worse. You not only don't make the count any more accurate you also add complexity and enable a bunch of denial of service opportunities.
>This isn't even close to accurate. If there is a wide margin in a result, it isn't officially contested, even when we have evidence of corruption. When the margin is small, and a recount could possibly swing the vote, then the electee becomes unconvinced and demands a recount. (Or when the election result is simply too extreme, and the necessity of a recount is obvious)
All of that is true in the US yes, but again that's because the process is poor enough. Other places have extremely close elections that don't require this. You have such poor confidence in your election process you sometimes have legally mandated recounts on a low enough margin.
Using both electronic and paper means we get the benefits of both, and each side's downsides are managed by the other mechanism. According to every expert on the subject it's the most effective means we have right now.
If you would like to compare countries and voting systems, I welcome that discussion, but unless it works specifically for the US, it's not relevant.
Citation is needed for this. I know of no expert that recommends this and no argument for this. I've already pointed out how an electronic+paper system would be extremely vulnerable to attack. All you need is for the count to be different between the two for no one to trust your election.
>If you would like to compare countries and voting systems, I welcome that discussion, but unless it works specifically for the US, it's not relevant.
There's nothing about the way elections are properly run everywhere else that wouldn't work in the US. Implement enough voting booths properly staffed and you'll have no issues. If you can't do that you also can't implement any complex electronic system so this discussion is pointless.
The gold standard is precinct-based tabulation of paper ballots, counted the moment the polls close.
Saying we should ignore US elections as an example is totally ridiculous.
The US fails to do this and then has a problem counting fast enough. We should ignore the fact that the US is incapable of running proper elections since we have plenty of examples across the world of well run elections.
>failed to complete counting their votes in time for an election to be called for a particular candidate
This is another example of not running a proper election. If you haven't counted the vote the election is not over. There is no such thing as "not calling in time". In time for what? The news cycle?
I'm not even sure what “failed to complete counting their votes in time for an election to be called for a particular candidate”; are election results perishable such that of a count takes too long it no longer counts? Specific examples of the phenomenon you are discussing would perhaps be useful.
Isn't there a logical fallacy named for nitpicking (concern trolling) while ignoring the whole picture?
My comment was merely in support of that.
- Change - Privatization - Centralization - Digitization
We geeks focus mostly on the voting computers. We need to focus more on stability and the appropriations process.
* 100% mail-in paper ballots, like Oregon -- no long lines, no games about which districts get which machines, no polling place intimidation
* Mandatory random-sample hand recounts (this has been shown to only need to be on the order of thousands of ballots out of millions for most races, given the statistical confidence you get with it)
You wouldn't want your colleagues at Google knowing you voted for Trump now would you...?
Husbands can coerce their wives into registering for a postal ballot and then vote on their behalf. Religious leaders can coerce their followers into registering for a postal ballot and handing it over to a chosen candidate. A corrupt care home worker could register dozens of residents for postal voting, then sell their ballot papers. Migrants with a poor grasp of the English language can be tricked into giving up their ballot paper. Poor people can be offered cash for their ballot paper. Postal ballots can be stolen from postboxes and sorting offices.
All of these frauds have taken place in the UK; local election results have been nullified on more than one occasion due to endemic fraud.
http://www.telegraph.co.uk/news/uknews/law-and-order/1156001...
http://news.bbc.co.uk/1/hi/england/west_midlands/4406575.stm
http://www.bbc.co.uk/news/uk-england-london-32428648
http://news.bbc.co.uk/1/hi/england/berkshire/7302809.stm
https://www.electoralcommission.org.uk/__data/assets/pdf_fil...
It's much easier to prevent that kind of thing rather than repair the damage after the fact, similar to the problems we've seen with gerrymandering.
An option considered in one state (Utah?) was to allow mail-in voting, but the mailed ballot could be invalidated if you stopped into a polling place and voted. It adds some complexity but reduces the absolute chance of coercion.
Only you know who you actually voted for. That's the point.
I'd guess mail-in ballots increase participation at the expense of some coerced ballots. Surely the net outcome is positive. On top of that, it helps to remove the chance for the use of intimidation at the polling stations. I remember that being an issue last election.
Somebody else mentioned that some areas have a system where if you show up in person, your mailed ballot is invalidated. That seems like a good safeguard.
The bottom line for me is that I think the option of mailing ballots increases participation. There may be an increased number in coerced ballots as well, but I think the net result is postitive.
Canceling mailing or e-voting ballots when voting in person can be countered by requiring that the person hand over his ID card for the vote duration.
The idea that a vote might have been bought is a dangerous one. It's dangerous even if votes buying are not proven. I'm still not convinced about e-voting for this reason. There should be absolutely no doubt on the sincerity of a vote.
In most states this is illegal. In, GA, the SOS posted a reminder. (follied by the President's picture)
Long lines or inability to get to the polls on time has contributed to my not voting. Plus it's great to be able to sit with a ballot over the course of a night or two and really think about what you are going to choose. Being at the polls with people waiting behind you applies some pressure to pick the fastest option - ie choose all Democrats or all Republicans (the machine I was on had a shortcut button for that).
Last election I voted in Texas as people voted quickly. It seems like they either are only voting for one or two races or they are just pressing the button that selects all Republican (I live in a red area) candidates.
Except that mail-in ballots mean that some generally significant chunk of the electorate can't react to new news in a dynamic election.
I don't like mail-in ballots. I do think that Election Day should be a holiday.
Returning to paper ballots means less cheddar for cronies. Happily there's a workaround. Postal balloting (close the poll sites)!
Ballots are digitally scanned as they're received at central count. So it has all the downsides of the touchscreens with all new vulnerabilities (undetectable alterations, signature mismatches, preview election counts, voter coercion...). But voters get the comfort of paper and it keeps the cheddar flowing for the cronies.
I traveled my state advocating open source software. I called it "citizen owned software). It's a slum dunk with voters (tax payers). And it's how things used to be.
The gatekeepers (blockers) are the election admins who outsource to their cronies. They even invent make-work just to have more cheddar for their cronies. Like signature verification and ballot tracking.
Paper ballots are a superior technology.
I think it's funny that people are freaking out on HN about this. The hacks at Defcon all took a long time to do, and I believe all required keys to the machines, and all were done on older voting machines. There has been no evidence of people hacking machines during the elections. Stuffing ballot boxes and other forms of voting fraud have been around for a long time, and nothing we do is going to stop it 100%.
Also voting machines generally have paper copies that print off the back of the machine that are anonymized but can be matched if foul play is called into question, at least in my area. Couple that with monitors that stand near machines or walk around and I feel pretty comfortable with electronic voting.
The only plausible hack would be an inside job, but I too find this difficult to believe. It would takes tons and tons of people to hack the machines if it required physical access. You'd have to hack ever machine, and even when you were done there are so many districts it would be nearly impossible to swing the election in any meaningful way.
Some things don't need a technological solution. Pen and paper and thumb dye generally work just fine.
Any school teacher who's collected tests from naughty 10 year olds can imagine all of them. These are the people who volunteer to show up and watch the process, in every district.
It's not enough to have a very low rate of cheating. The legitimacy of the process depends on this fact being clear to everyone. The fewer over-educated specialists you have to trust to be sure of this, the better.
You'd need to put enough ballots in the box to sway the count in your favor, while being watched by multiple people from both "sides" who all don't trust one another.
But let's assume you are able to do that somehow (hey, maybe you paid them all off?). Great! You've swayed the counts in one precinct... In 2012 there were 2712 voting precincts in Virginia... So to sway one state, you'd need most likely thousands of people working together and not one of them can reveal the whole plan. And that will get you one state, so multiply it by 50 to really sway an election (yes, i know you wouldn't need all 50, but ether way it's still way beyond realistic). At that scale it seems like it would be easier to just convince people to vote with you.
And you'd need to do all of that without leaving any kind of paper trail. Paper costs money, printing costs money, it's not going to be cheap or easy to hide making all those ballots. Someone is going to notice. And all it takes is one slip up, and it's all over.
Nobody is saying pencil+paper voting is perfect, just that it's the best thing we have at scale, and it's extremely difficult to "hack" without someone noticing.
Increase by 49 or multiply by 50, no?
Even so, I’m in favor of paper ballots - I think voting machines are nothing more than rent seeking by their manufacturers.
[1] http://www.nytimes.com/1990/02/11/us/how-johnson-won-electio...
With something electronic, at the very best you end up needing the same number of people at the same amount of locations. But this time instead of having to stuff a bunch of ballots into a box without anyone seeing you, you just need time alone with a machine at any point before voting or even during voting. (and I'll honestly admit I don't know which of those is easier, but that's before we get into all the other issues with electronic voting)
I think there is a possibility that electronic voting could be better at some point in the far off future, but in reality and right now, the benefits don't even begin to outweigh the negatives.
90 minutes or less, from unprepared attendees, some of which didn't even know they would be seeing a voting machine that day [1].
> Also voting machines generally have paper copies that print off the back of the machine
This wasn't always the case, and a few bad elections happens from 2004-2006 as a result. There is also not a guarantee the voter has checked/understood the paper receipt. Overall the concept helps quite a bit.
> The only plausible hack would be an inside job
Polling station staffers are volunteers, and there are lots of them. Not particularly difficult.
Voting machines themselves are known to store results in unencrypted, easily editable MS Access databases. This allows editing/suppression of votes en masse with no trail. If said attacker can find a way to also tamper with the paper receipts (print a different result that the voter doesn't notice, or don't print at all, or make the printout unreadable), mass shenanigans could ensue.
All this just to say, "hey, it uses paper for verification on the backend, so it's fine." But we're paying companies to develop insecure machines, training voters to trust them, and bringing the integrity of our democracy into question along the way.
Just fill out a piece of paper. It's not that hard to count the votes.
1. http://fortune.com/2017/07/31/defcon-hackers-us-voting-machi...
Canton of Geneva have open sourced their voting app. https://github.com/republique-et-canton-de-geneve/chvote-1-0
Of course there will never be a perfect way. However, I have a feeling that by multiplying voting methods, fraud impact can be contained. Mail vote increases the number of people voting and have the same positive effect (drowning a fraud in valid results).
I'm not sure what they do if someone has taken a ballot but not put it in the box.
Suppose they do build a hack-proof voting terminal - how can you tell that's what you're voting on, and not a compromised machine with identical appearance? De-cap all the chips and put them under an electron-microscope?
I work in hardware verification and have worked in software verification in the past.
I still wouldn't trust voting machines that I had verified myself. How could I tell my program apart from software that "looked" right?
I can't fathom why anyone who is honest wants to bring electronics into this.
The thought was, that even though a system like this could not be understood by current people, future people would have a reason to learn the technology, as they learned about vehicles and the web, because it shapes every facet of their society, in real time. It would also give us a clear case for legislating software and hardware security standards. Not my area of expertise, but do you think that standards could be devised and mandated to make hardware verification feasible, at least for medium-tech applications?
So, that's how honest people desire technological progress in the voting system. Now, I can see that we need to keep these endeavors low-key, while we cross the gap of failure between "interesting" and "robust". It could take us generations to cross that gap. Let's just keep all this experimental stuff in the digital currency / digital contract field, for now, and tell the dreamers to be patient, rather than insisting that we abandon the whole idea.
Additionally, if you really wanted to protect voting and still use computers, use an open ballot and also allow voters to audit their own vote.
The public ballot is much easier to secure, since you can just use a trustless ledger. Spinning up a ton of processing power to protect the voting process day-of elections isn't infeasible.
It's disturbing that a major corporation has the lobbying power to back that kind of unsafe position for its own gain, though.
It's not an exact metaphor, I admit, but it's relevant to the fears of OSS - people think leaving all your public information on the table is enough to compromise the system, because in a physical model, it effectively is.
They're not actually that hard to count, they leave a hard to alter record, they require more effort to fake, etc.
The under investment in voting and the focus on mechanizing it has been a disaster in the US and is teetering on the edge of being incredibly dangerous to the well-being of the country.
Electronic voting has none of the features we want and all the failure modes we don't. Return to entirely paper.
(For what it's worth, my area seems to basically use those test scanning systems on paper mail-in ballots. That's still more electronics than I like involved in the process, but is much better than fully electronic and we might be stuck with that as long as we use mail-in ballots -- which is a separate debate.)
Years ago there was a push for online voting. The state commission came away from that study suggesting a return to paper ballots, recommending to ditch even the new electronic voting machines that were becoming popular, because of the lack of credible, verifiable security. I think paper ballots are effectively required by law, now, with exceptions for accommodating people with disabilities.
I think most places that use these will use an additional count-by-hand pass afterwards. If someone is tampering with these count-only machines it's likely that they will be discovered and prosecuted.
Even in the case of inspecting software, you'd have to guarantee that the systems are secured after inspection and not tampered with. That's an even more difficult problem.
The systems are simply too complex.
It also doesn't need to be "simple enough" for anyone to do it. You just need a system in place to enable voters to verify the authenticity of the machine (a relatively easy way is a public voting ledger where the voter can match the id the machine shows with what shows up in the ledger a minute later) and those with the know-how will do so.
A major point of the polling booth is that nobody can see what you put on you ballot, and you can lie to anyone about it. No family member can pressure you to vote in a certain way, and if somebody offers you money in exchange for your vote you take their money and vote for somebody else. And if your employer threatens to fire anyone who votes for the wrong person, you just tell them you voted for their favorite candidate, they can't tell the difference.
Mail-in voting is nice for people who physically can't visit a voting booth, either due to disability, sickness, or scheduling problems. But it should never become the norm.
Label the online results by voting site. Keep a count at each site of the number of people that voted. Verify this count more or less matches the results posted online.
As for the counts, where I vote my name is recorded in a book and then I cast my ballot. So it should be possible to verify that the book tally and vote tally match.
You can write your identifier down, but you could also go online and look up any other identifier you want and use that one instead. The public ledger results could be timestamped so you can correlate your vote with the on chain results, but given a large enough election thousands of votes should be coming in every <unit of time the ledger uses> and you could pick any one that voted the way your sponsor wanted to claim to be your own.
It is only a problem if results don't come in in real time I think. Trying to photograph the display would be just as much of a problem as taking a picture of your ballot today. The broad point is to convey the UUID in the only untrustable memory store, the human brain.
Unfortunately, this system is neither trustworthy nor correct, as adding new UUIDs to the rolls defeats the system.
A voting system is a security system that has to work in the presence of bad actors.
If you add new UDIDs, you'll throw off those numbers.
P.S. You keep writing "UDID", but you really mean "UUID". The UDID is a specific implementation of unique device identifiers. They have nothing to do with individual people.
i tried to fix two things with my proposal: changing votes and adding votes.
let’s hear some concrete criticisms and suggestions.
i dont feel like the current systems are particularly thoughtfully designed. we could probably do better in this HN thread. :)
If you don't present a design, you won't find anyone to critique it. My suggestion is to design something and then present it.
No. You will need to perform a lot more work at system details, algorithms, interactions, interfaces, components, etc.
Declaring "UUID" isn't really a design. It's not even a workable idea, yet.
Here is one design for a voting system, which had been posted to HN last year. http://www.economist.com/sites/default/files/nyu.pdf
Some of my review of it: https://news.ycombinator.com/item?id=13144302
Your only actual criticism was
> Unfortunately, this system is neither trustworthy nor correct, as adding new UUIDs to the rolls defeats the system.
Which I explained was defended against by having counts at each voting site which could be compared to the online results.
Your (non) response to that was non-specific attacks on the non-planness of my plan as a whole.
Even non-planness attacks should be able to be made specific. You should be able to point to a specific unaccomplishable thing or missing detail... (Perhaps you could complain that I haven’t specified how to collect and save the voting site voter count tallies, which would be fair, but also seems solvable...)
I'm not going to do your work for you. You might find people willing to work with you, but the odds are slim until you have a unique idea or something more than a single sentence. Literally thousands of people have discussed UUIDs, including the two links that I sent to you.
It's a high-level idea, dude. You made one specific critique, which I refuted, and now you're criticizing the idea as uncriticizable because it doesn't have enough of the details specified.
Thanks for playing, I guess.
Spitballing here: What if you get the receipt with UUID and your choices, then at a separate kiosk only in the polling ststion you can enter your UUID to view the full results as posted online. Along with your UUID and results, a hash of the two is displayed and can be printed onto your receipt. Before leaving the station, you must detach and dispose of the plaintext voting choices, but you can hang onto the UUID + hash.
At any time in the future, you can enter your UUID into the site, which will compute and display only the hash, giving you verification of no tampering but not disclosing any results to nefarious third parties.
You did say "a good clean way" though, so perhaps that analogy is inappropriate :)
Maybe it could be explained in terms of one of those "superhero name generators"[0], where the initials used come from your UUID and the superhero name chunks come from your voting choices. Sure, a hash is a lot more mathematically complicated but the principle remains the same (to the point of the possibility of two different UUIDs and voting choices ending up with the same hash, just as anyone having the initials DJT will become The Incredible Golden Tornado).
[0]http://weknowmemes.com/wp-content/uploads/2013/10/superhero-...
True, but it is significantly (as in several orders of magnitude) harder to hack paper at a national scale than it is to hack an electronic voting record at a national scale.
Hacking paper requires people physically interacting with that paper to subvert it. That amounts to 1+ person per box of paper votes.
Electronics just needs the one person who discovered and exploited the vulnerability.
And it quickly becomes unmaintenable, "three can keep a secret, if two of them are dead".
Making a conspiracy like that work at US scale would require a small country's worth of conspirators which really, really wouldn't be able to hide from the light of day for very long.
It would take an immense amount of reorganization of trust, but open hardware verifiable (both in person and on some kind of trustless ledger akin to a blockchain) voting systems would be more secure against such national actors, because there would be no back room to burn the paper in. If the machine is public and you can trust it, and you can trace the results nationally to insure the results were accurate, you have more security than you have now.
To hack the U.S 2016 votes you'd only need to flip a few counties in Pennsylvania, Michigan, and Fl.
If you hack election software, you can change thousands or millions of votes as easily as one. The physical nature of paper means you have to work for each ballot.
Even for the paper side. Most paper ballets are counted by machine so they could easily be tampered with at the count or when they're printed having a similar scale.
Do you have a source for that statement? In Germany, ballots are counted by people making tally marks on paper.
Edit: Here you go. I couldn't find research or a study regarding it but this is probably good enough and was always my experience when I voted by paper: https://www.wired.com/2016/11/vote-counts-ballot-get-counted...
And recount-able by hand in case there is doubt.
One reason is that Americans vote a lot more than Swedes. Here in California I have probably ~100 elections to vote in for each I had in Sweden.
Not necessarily. I'm not cryptography expert, but I suspect some kind of proof-of-work system can be used for ballots.
http://www.dailymail.co.uk/news/article-3796116/Putin-s-part...
It's quite common to drop handfuls of paper. And really, the grouping comes down to transportation issues as well; when you move ballots in boxes and trucks, 0(n) becomes less accurate.
There were numerous issues with the security, packing, and handfuls of paper in 2000.
Yet, there are ways to make digital voting auditable. There is an inherent conflict between a system being auditable and anonymous. You can't completely satisfy both, but paper satisfy none, so there is plenty of margin for improvement.
First, you've omitted a major downside of digital vs. paper systems, scalability. Attacks on paper systems are much harder to scale, are more easily detected and more readily audited by staff who need no IT training/experience. There are other downsides, but scalability is a good example.
Second, the "plenty of upsides" are mere niceties. I don't know of any must-haves unique to digital voting systems. What do they offer that is worth their diminished security compared with paper ballots?
I put security of our electoral process at top priority. Given the difference in attack surfaces of digital systems vs. paper ballots, I can't see a case for the former.
The continuing parade of breaches of supposedly super secure systems indicates we don't yet know how to code systems for large-scale public applications where security is absolutely essential. Paper ballots are the best we have for now.
We saw with the Wisconsin recounts that only a couple cities had questionable issues and not enough to change the outcome (this time).
We saw in Michigan and Pennsylvania recounts that something more troubling was going on with Detroit and Philly and the real truth got hidden from public view when the recounts were abruptly ended in those places. I think there was evidence for fraud in certain Detroit precincts, but since that fraud involved Democrats, the media was silent on the issue. It got swept under the rug very fast.
I bet if we look harder we find fraud in Dade County, the state of Nevada, the state of Colorado, and also likely Arizona. Lastly, if we are going to be completely honest, California is allowing illegal immigrants vote in large numbers. Mind you, I'm not anti-Democrat, I'm just anti-fraud.
Verifying ID is a huge step towards ending most of the problems we have. The rest is stopping ballot stuffing and corrupt poll workers tossing out ballots.
In what place in the US can you vote without ID? Where? Point it out to me. You can't.
To vote, you already have an ID. It's called a Voter Registration Card. To get one, you generally have to cough up a bill, lease, etc. originally and then vote continuously over the years.
At this point, relative to "voting fraud" (the only thing "ID" will solve), you have:
1) No evidence of significant voting fraud anywhere (we lose more ballots to mismarking)
2) Significant evidence of partisan disfranchisement
3) Leaders having been caught ON AIR saying that disfranchisement was the whole purpose
Do you need someone to run up, kick you in the nuts, and yell "IT'S ABOUT DISFRANCHISEMENT" 3 inches from your ear before you get the message?
Now, if you want to talk about election fraud where the counting of the ballots is suspicious, we can chat.
"Under non-strict requirements, a voter who does not have the necessary identification may still vote without casting a provisional ballot.[1]"
Sure, it's almost everywhere.
For example, I recently voted in the 2016 presidential election. I voted in San Francisco. I didn't have to provide ID. I was allowed to vote despite claiming not to remember my own address. (Which I didn't, because I hadn't lived there for a few years. Voting continuously is certainly not a requirement.)
The normal procedure is that you go to the polling place, they ask you to point yourself out on their list of registered voters, and then you vote without authenticating your identity in any way.
Is this detailed/concrete enough for you?
I assume we don't want to keep track of who voted for whom (secret ballot).
President Obama was right when he said the fix to problems in our democracy is more voter participation. Imagine if close to 100% of those eligible to vote, registered and voted. Voter fraud would be insignificant.
I really like the systems where there is an original easy to use paper ballot, that gets fed into a scanner for immediate counting with the ballot being stored securely in a box below the machine. It seems that the ballot could also have a scanned image stored for posterity.
At that point all the digital information can be immediately backed-up, replicated, and so on. It seems like it's the best of both worlds...
(1) Why doesn't our electoral system require public disclosure of each voter's record? What would the ramifications of publishing each voter's identity & ballot online be? My thinking, like other comments here, is that a transparent voting system would make results more easily verifiable, if not easy to verify.
(2) At what point could we transition toward more of a democracy (in contrast to the representative, republican system) through the use of digital voting, which has a lower "barrier to entry" than turning out to a polling center? Particularly on nationwide issues like healthcare, I presume there are relatively few technological barriers to letting every citizen vote individually on a bill and immense political and social consequences. I can't fathom the outcomes -- do you know of any discussion of such a system?
Non sequitur: I've always wanted to see a "name brand" professional sports team run, down to the minutiae, by online fan voting. I know it's out there in small leagues already.
(2) Probably not in a long time in the US. The system is built under the assumptions that you can't trust voters know what is good for them, let alone what is good for the country overall.
Not allowing people to photograph their ballots, to vote in public, etc. is a protective measure for the voter making it difficult to prove how they voted.
It's a real issue. There are lots of people who have jobs that they use to support their families where they have to deal with organizations that they disagree with politically. Currently they can pay lip service in public, but vote their conscience in private. Making how people voted public record would affect a lot of people. Substantially more than, for example, the number of people who would be inconvenienced by universal voter id laws.
At the same time, perhaps such a system reduces the surface area for bad actors. Now, perhaps, just the registry/database of UUIDs is a primary target.
Retribution.
Think about it, it's easy for an employer to say that he will only employ people who voted for X, a landlord that will only take in tenants that voted for the right party, or even family members that will make sure that everyone votes along party lines.
There's a very good reason why voting is secret.
(2) Tyranny of the majority is a living hell.
Definitely not as Open as Linux, but not closed source either.
But this issue is never as black and white as "open-source is more secure." There are many other factors that go into the security of a product beyond its source code being readable. Deciding which factors matter largely depends upon your unique threat model.
If I trust an organization to put the resources towards properly auditing their software, that's often far more important then whether or not I can personally do an audit. The majority of people and organizations do not have the time or technical skills to properly evaluate software. Whether the software they use is open-source won't ultimately matter.
The "many eyes" argument often falls apart because most of the time there simply aren't that many eyes dedicated to a project. What is the practical difference between Microsoft hiring 100 people to perform security audits and an open-source project that has 100 volunteers? Resources and trust. If you trust the open-source project to dedicate resources to security, and their software fits in your threat model, then use it. Or the inverse, if you don't trust MS and their software doesn't fit: avoid it. The vast majority of the time open-source vs closed-source should not be the main differentiator, but rather a smaller element of an informed decision.
https://lwn.net/Articles/44077/ http://www.softimp.com.au/evacs/products.html
1. Electronic machines powered by OSS - Provides fast counting, and potentially better UX in scenarios with large number of items to vote on - Ability for the public to review the code 2. Machines print copy of ballot that voter can verify before being placed in a secure ballot box - Provides auditable backup record 3. Machines give the option to print a second copy of the ballot with a unique code. This code can be used to verify selections later via some kind of online interface. - Gives the user one more check on ballot integrity - Allows voter to keep voting record anonymous if they choose
I think this would balance pros/cons of pure paper vs. electronic voting systems
All user get a receipt which they can verify is same during vote counting. They themselves can vote count using all others receipt. At the same time, they can't sell their vote as it's encrypted.
Please observe a real world example of this: https://www.youtube.com/watch?v=8mBMHPxdljE
But those are both more straightforward with paper ballots than with other systems.
You could put them in sequence and compare the results. If results diverge, you investigate why.