Ask HN: Could programmers convince society not to use software voting systems?
I don't generally expect society to listen if computer programmers tell them to do or not do something. But, just maybe, they might listen if programmers said, "don't use software for this", en masse. I feel like voting systems that have no voter-verifiable paper backup are a horrible idea and (in the literal sense) a threat to democracy. Is it possible for programmers to somehow get this message across to the rest of society? Or do most other programmers think this is not a problem and the security risks are overblown?
46 comments
[ 7.3 ms ] story [ 107 ms ] thread[0] https://www.youtube.com/watch?v=G0qivPudp6U
[1] https://en.wikipedia.org/wiki/Clint_Curtis
You see your choices in paper.
You place the paper in a ballot box.
The ballot box is watched by people on both sides.
The ballot box is sealed and transparently transported to a counting facility.
The ballot counting is observed by people on both sides.
The counting facility counts the ballots twice, with both counts having to agree. The counts are communicated to a central tallying location.
The counts for each counting facility and the total are publicly communicated.
And a single poll worker still wouldn't be able to verify all of the votes in an election. There's still an insurmountable trust issue where most of the public has to accept the results from what amounts to a black box, which paper ballots don't entirely solve.
In Australia we have observers for the counting process and every party or candidate can send representatives. Political parties are practically begging for volunteers in this role. We also have a much more complex preferential voting system but the manual counting process still shows results 30-60 minutes after polls close in all but the tightest races.
> And a single poll worker still wouldn't be able to verify all of the votes in an election.
Anyone cheating would have to involve a huge number of people around the country and the people watching those people. Getting elected legitimately would be far easier.
It is done onsite so there is no risk of tempering.
If you wanted, you could stand next to the transparent ballot box the entire day and then count yourself.
The results are available a couple hours later. I can't think of any downside.
You vote electronically on a machine and it prints a paper vote.
You verify the paper vote is what you entered and then place it in the ballot box.
The machine can give an "unverified" counts in real-time to tally up results.
The votes can be verified later on using the manual method of counting paper votes. These can be cross-checked with what the machine has said.
Makes it fairly easy to identify a box and verify if needed and identity a possible suspect machine and etc.
I does the best job of preserving the voter's clear choices made by them, filtered by nobody.
Right, we started to have rigged elections after eletronic voting. /s
The current system is broken, and it seems like folly to stick your head in the sand and reject all attempts to fix it.
At this point, voting by mail seems to be the way to go in places that are going all in with software systems.
1. Open Source software, which can be verified by everyone.
2. Voting via an app with authentication as good as or through your bank account.
3. After Voting, We should be able to query and verify who our vote is with - on a particular day of counting, and get whole history of our votes. An individual persons vote is append only.
Please, do let me know drawbacks.
If there is an incentive to get to know who a individual person has voted for, then it would be with all parties.
And if you think there is just one party that is much stronger as compared to others. Then, it doesn't matter if you vote or not. They are just being nice by letting you vote.
also the secret ballet is very important to maintaining the fairness of elections.
Buying votes is a thing. If it's easy to verify that you voted for X party then it's very easy to sell your vote.
Querying and verifying your vote doesn't guarantee that it was included like that in the count, just that your real vote is stored somewhere.
What makes you think that the open source software you verified is the software actually loaded on the machine you are using to vote. What about the software on the machine that counts the votes?
> Voting via an app with authentication as good as or through your bank account.
What about voter secrecy? Logging in and then voting defeats the purpose of voting.
> After Voting, We should be able to query and verify who our vote is with - on a particular day of counting, and get whole history of our votes. An individual persons vote is append only.
If you can query to find your vote then anyone else can. Do you want everyone to know who you voted for?
You can't force people to declare their vote, If they don't want to. If the country is totally lawless, then I don't think voting will change it anyway.
Just because we can query some info about ourselves, doesn't mean anyone else can. That is clear malicious intent.
Faking paper ballots is easy; getting any substantial number of fake paper ballots into the count in a system with the kind of controls associated with paper ballots virgin hg in the US, OTOH, is not.
> Just because we can query some info about ourselves, doesn't mean anyone else can.
Yes, it does. That is, it means that the information is permanently more to your identity. It means it's subject to vote buying/retaliation, because people can choose you into proving your vote and can reward or punish you for it.
> That is clear malicious intent.
That doesn't mean it can't be done.
Note well: I am not advocating actually doing this. But that's what I think it would take.
But, if one were doing that, better to cause Mickey Mouse to win the state, it is a more clear signal. But I'm not the person to send that signal, which is why I was thinking about how else to communicate it.
But even if some are, ways exist to undermine an expert's credibility about a complex topic.
For example, when Robert Oppenheimer began warning people about the dangers of nuclear war, the attacks came. Once the government felt comfortable enough with Edward Teller, it could proceed with revoking Oppenheimer's security clearance.
That said, not sure a paper receipt actually helps because it's certainly possible for a voting machine to spit out a receipt, then change whatever data the receipt was supposed to capture. And unless the change was drastic and massive (e.g. Trump wins California) then it will probably go undetected.
On paper receipts, the idea is that it allows for recounts. Not that paper is invulnerable, but the fact that more people understand how paper works than understand how software works, makes it a better option, I think (speaking as a software person).
I'm a previous human rights activist and I worked in a lot of past elections in Turkey. I am very opinionated on this issue and I strongly believe the future is software-only votes.
Naive reasons why we should use software-only voting:
1. Humans can do mistakes. Machines can't do mistakes (unless humans who programmed them did mistakes)
2. It takes more time and resources to count votes compared to automating it.
3. You'll use less paper, so better for environment.
Better reasons why:
1. Voting is an entirely impossible-to-debug process. If you live in a corrupt republic like Turkey of Russia you need to spend thousands of dollars and people to ensure elections are held democratically. Because government won't ensure that or they will actively work against it. Software can be made debuggable.
2. If you live in a country like Russia, government can attempt collect data about your votes to estimate/learn which party you voted for. With cryptography this can be made mathematically impossible (or equivalent to very hard problems like PvsNP)
3. Recalculating election results is very infeasible in real life. If you store election data (so that it's impossible to find who voted what) and make it open, everyone can confirm election results EVEN IF we find a bug in retroactive computation script.
4. With free software (free as in freedom) it is possible for experts (computer scientists, cryptographers, law makers, attorneys etc...) to audit the process of election. This is not possible in real elections: lawyers cannot audit the election so it's possible some people make wrong decisions interfering in people's votes (i.e. deciding a bad vote to be ok, vice versa)
Problems:
1. Backdoors etc. Solution: use free software and pay experts to redundantly confirm system works. Pay software engineers to maybe write parts of the system in agda, idris, coq so it's provable. This is not terribly worse than the space program etc.
2. Not everyone can use computers. Solution: you can organize the exact same election system, call people to special places to vote and use computer instead of paper.
3. What if we're hacked even after experts checking the system? Solution: redundantly store the data, use parity bits RAID etc to ensure data integrity. If there is some unrecoverable data loss, cancel elections.
That's an incredibly limited view of the issue. Machines can make mistakes regardless of human intervention (albeit probably indirectly, because humans have an unprecedented level of influence on reality). First, there are known software glitches caused by unexpected bit flips. Second, software systems can grow to a level of complexity where unless you invest orders of magnitude more time in theorem provers for it you cannot guarantee that 'machines can't do mistakes'.
Electronic voting is an interesting problem and I agree with you, it's probably the future. But it's not a near future or not as near as you'd think. Electronic voting is vulnerable to attacks which cannot be detected when they happen. Armies of diverse human observers for paper ballots are much more effective for detecting fraud.