133 comments

[ 3.9 ms ] story [ 215 ms ] thread
Let's rehash that old argument in the comments shall we?
Pretty much everyone (i.e. by a margin that would be considered a landslide in a normal election) who works near tech agrees that electronic voting is fine as long as it produces a paper record (or a uses a paper ballot) per vote which provides a mechanism to verify the integrity of the system after the fact and makes tampering hard to scale.

There. Done.

Edit: changed wording, receipt vs record.

An electronic machine that only exists to print a paper ballot makes the most sense IMO. You get the convenience and consistency of a touch screen (no hanging chads), but you get to see the paper that gets printed out and see that it matches what you put in, and the paper is the actual system of record that matters.
Do you see a role for the electronic machine to provide a count as well? My sense is that the switch to electronic machines (and the switch to mechanical booths prior) had to have been driven at least in part to make the preliminary count easier to obtain.
For those of us who want to switch to alternate electoral methods like RCV, approval voting, multimember districting, etc, using machine counting is a big deal. If you are paper only, the increased labor to do repeated tabulations (as is done to an extent in RCV) is significant. It is the reason a bill to implement RCV in a state I used to live failed, after passing the state house and being discussed for some time in the state senate.

Whatever counting method you are using and whatever reporting method you are using, it needs to be verifiable. I still can't believe we had ballots from 2016 that were destroyed after brin subpoenaed, without any consequence for those who had charge of their possession and safety.

I beg to differ. I live in Minneapolis, where we do RCV on paper. It has not caused any of the problems you're talking about.
Counting paper votes is a solved problem, and nations that use entirely paper ballots don't have slow preliminary counts. Australia, for example, has a somewhat complicated preferential voting system and relies entirely on paper ballots, and yet they are generally able to provide a conclusive result the night of an election (with televised tracking of counts throughout the country).

This may not make sense intuitively, but counting paper scales quite well by being distributed to the polling locations and physically sorting the paper ballots. The Australian Electoral Commission documents the counting process quite thoroughly [0].

The only time counting paper takes a long time to get a win/lose result is when results are close enough that every vote needs to be counted. This is surprisingly rare in practice.

[0]: https://www.aec.gov.au/Voting/counting/index.htm

I don't feel we have a track record of responding well to elections where irregularities are suspected. Especially after a winner has been declared, and the loser has conceded.

I mean, the 2000 US presidential election had a recount... that was cancelled. The Brexit referendum had a bunch of spending irregularities... but the result stands. The 2016 US presidential election had allegations of Russian interference... but the result stands.

It's pointless having an early electronic result and a late paper result if the early result always stands - the late paper result gives you nothing except a false sense of security.

>I mean, the 2000 US presidential election had a recount... that was cancelled. The Brexit referendum had a bunch of spending irregularities... but the result stands. The 2016 US presidential election had allegations of Russian interference... but the result stands.

In none of those cases was there proof that actual vote counts were altered.

There are still ongoing investigations into Russia's interference, but the side that the interference helped is the on that's currently in power, and there's enough ambiguity for them to avoid taking any direct action. If we'd had a paper ballots that proved that Russia hacked voting machines and actually changed 100k or so votes--I'm 100% confident we'd have had a completely different outcome.

  In none of those cases was there proof
  that actual vote counts were altered.
I was thinking more of the recounts that were cancelled. If you can't recount to check if vote counts were altered without first having proof that vote counts were altered, what's the point?

More broadly, I hoped to illustrate the fact winners oppose fishing expeditions to double-check election integrity.

I simply don't believe we have the option of getting the result wrong on the first announcement. It has to be right the first time. And because it has to be right first time, we should apply our most trusted counting method the first time; the addition of an early-but-untrustworthy count is a move in the wrong direction.

>I was thinking more of the recounts that were cancelled. If you can't recount to check if vote counts were altered without first having proof that vote counts were altered, what's the point?

But you can. Many states already have automatic recount laws when vote totals are close. In many cases candidates can pay for recounts even if they aren't close.

Recounts are common in American politics, and sometimes they even change the result--Al Franken won in 2008 after a recount flipped the result.

The Florida recount would most certainly have been finished if any of the counties had found obvious cases of voting machine hacking. Every country completed at least 1 recount, and most completed manual recounts.

I think I'd rather just have the paper ballots counted by a separate machine/person. I know it's redundant but it's worth it to have the systems totally independent of one another (and independently upgradable). It's the IRL equivalent of sacrificing some DRYness to achieve loose coupling.
(comment deleted)
The use of the word receipt is problematic since people believe that it means they can take it home with them and somehow use it later. It can be a "voter verified paper trail", I suppose. But, what's better is just having paper ballots that are optically scanned. If someone needs assistive software to fill out the paper ballot, so be it.

Even with paper ballots (or a vvpt), you still need regular procedures to audit the record to ensure that the counting and down-stream handling of the counts are correct.

A receipt confirming a particular vote could be useful to those that want to pay citizens for their vote.
Paper ballots are worthless if they're counted electronically.
They're not worthless if you mandate that they're kept around for verification.

You can automatically verify some random percentage of them and do a full recount if needed.

You can recount paper ballots on different electronic counters to verify integrity. However, you cannot vote on multiple electronic machines to ensure consistency.
Hell, you can easily recount paper ballots by hand. No need to bring any machines into it. We did this for hundreds of years, and it still works.

The ambiguities we had in the 2000 election in Florida were from people improperly marking their ballots (hanging chads, etc.). If the paper ballots are generated by machines, or at least have already been verified as being readable by a machine at the time the ballot was cast, then you will have a much lower margin of error during the manual recount.

Sure .. As long as everybody who voted takes their receipt, and is willing to go to the government and demand proof that their vote was counted. Let's see, in the USA you get 54% voter turn-out .. a re-count requiring those receipts should get what, 15, maybe 20% of those voters to participate?

There. No.

> As long as everybody who voted takes their receipt

Voters strictly can't take a record of their receipt; this opens up a whole other level of voter intimidation, where, if you voted for the wrong person you lose your job, lose benefits, get beat up, get killed.

Couldn't the receipt of votes be an encrypted result derived from the voter's key for which only the government/district has the private key ? It would not show the vote but only guarantee that your vote has not been modified. You could go to the government to get the vote confirmed privately.

Ideally, assuming you would be voting with a key linked to your identity (SIN), both the IDs of voters and their votes could be entirely public and on your receipt.

The act of counting votes would be for a set of parties to be work with only the public list and given the private key(s) to generate results. The trust there should be similar to counting paper ballots, especially if independent parties combine subsets and arrive at the same result.

Yes, that would be possible; but is significantly beyond what people typically mean when they say "just give me receipt"

> Ideally, assuming you would be voting with a key linked to your identity (SIN), both the IDs of voters and their votes could be entirely public and on your receipt.

What piece of your identity does your employer not have access to? In the U.S. they've typically seen your id, your passport, your pay stubs, your health insurance.

It's been a long time, but somewhere I voted, maybe California or Michigan, but somewhere I voted gave me a real receipt. It had a bar-code that was tied not to my identity, but to my ballot itself.

The "receipt" was a perforated piece of paper with a barcode. The votes were cast by connecting lines, and the right half of that line crossed the perforation lines, and was mine to keep. This seemed like a reasonable system, and I could then verify that my vote was counted.

As for voter intimidation, if we really believe that our democracy is worth killing and dying for in foreign wars, then it would logically follow that we must accept the risk of demanding accountability domestically.

There's also the question of how the printed ballots get counted.

If you put them all into a black box machine (or set of machines) that spits out a total at the end, you've recreated all the same issues.

No, you haven't. The issue with touchscreens isn't the machine total, but rather the lack of a mechanism for validating the machine total. Machine-read paper ballots can be and are sometimes hand-counted to validate the machines.
What's the old argument? This article refers to a current legal case and testimony that happened last week, and a judge is expected to reach a decision today about whether Georgia must change its election system just weeks before voting in 2018 takes place.

The debate is more than just paper vs. digital. Georgia is interesting not just because it has gone completely paperless (4 other states have done so), but because it is also the only state in which the system is centralized. Delaware, one of the other states to have gone paperless, have systems too old to connect to the Internet: https://www.delawareonline.com/story/news/politics/2018/08/1...

While you're quite right, if you wanted to see what the old argument was, please look at your sibling comments.
Voting is one of those problems that is, on its face, very simple: write a name down, count how many people wrote each name down, person with most names wins.

This seeming simplicity, combined with the fact that no one thus far has seemingly gotten it right, lends itself strongly towards all kinds of armchair opinions from anyone at all related to any of the fields involved.

I'm a software engineer, for example. "Design and build me a system that collects votes and produces results." is in the format of the requests I get at my job on a daily/weekly/monthly basis, so I can take it and run with it, as I am trained to do. I can come up with all kinds of additional requirements in my head, tons of edge cases, different scenarios I need to watch out for, etc etc. Basically, as can anyone who does my job, I can turn it from a (immensely vague in this case) business need into a set of technical requirements.

However, I am wholly unqualified to design a ballot device, despite the seeming simplicity of the request, and how it seems to fit nicely into my professional intake. Will that stop me or anyone else in my position from offering an opinion? Probably not!

Thus, you get the constant "re"hashing of "old" arguments, because people see these problems as "simpler" than they actually are, and "re"voice the same ideas and concepts, because it seems like some obvious problems can be solved with "just a little" modification to the existing systems.

> Barnes testified that the server that holds the data that Georgia’s 159 counties use to build their ballots is “air-gapped,” or isolated from the Internet. But he acknowledged that he uses a thumb drive to transfer ballot proofs from the server to his desktop computer, which he uses for email. From there, he moves the data to a Dropbox-like site, where counties can retrieve the ballot data.

Anyone know what "ballot proofs" refers to? I hope that's not just a fancy terminology for a tab-delimited text file that contains the voting totals. I wonder what "Dropbox-like" site actually refers to -- a cloud site created in-house by the state government? Or by a contractor that ostensibly specializes and is authorized (i.e. fills out the paperwork and background checks) to sell a file-transfer app that's basically a wrapper around a commercial cloud service?

In design a "proof" is a preview of the final design. That's probably what he's referring to. A final-ish draft of the ballot for review by the stakeholders.
That makes the most sense on the face of it, especially in the preceding context of "Barnes testified that the server that holds the data that Georgia's 159 counties use to build their ballots". It's possible that the reporter conflates this "ballot data" on the "Dropbox-like site" with actual voting tallies. Such a site for the election center to upload ballot proofs sounds reasonable, although I question why such a site would need to be "air-gapped". The data to build ballots would presumably contain entirely public information (e.g. the serialized info of which candidates are running for which parties in which races).

But even if these details about ballot proofs isn't relevant to the main point, Mr. Barnes's testimony is still concerning. He's the director of the state's centralized elections system, after all. Last year, when Lamb notified the state of the data breach, Barnes "wrote of blacklisting Lamb from accessing the website before changing his mind and ordering scans of the system". [0] That the vulnerability stemmed from Drupalmageddon is even more troubling, because it's not as if Lamb's claims were hard to verify, given how well-publicized Drupalmageddon had been at that point.

It's also worth noting that I haven't seen any read about how the elections center receives the actual vote data. The stories I've read so far -- including this WaPo article -- have only referenced voter registration data. Having this data breached via arbitrary code execution is still a big deal, if the site is used to verify voter eligibility, but AFAIK, it's (hopefully) not the same system and database that holds vote data.

(Voter registration data contains personal info, but some states actually publish it online. in machine-readable format even)

[0] https://www.mcclatchydc.com/news/politics-government/article...

I understand that they need a way to transfer data to and from the machine that builds the ballots but the method outlined above doesn't fill me with a lot of confidence. Barnes freely admitted that their desktop computer handles their email and that they use a thumb drive to transfer data from that desktop computer to the "air gapped" ballot build server.

If his desktop becomes infected with a virus of some kind, isn't it straightforward for that virus to infect the thumb drive and then to infect this server that builds the ballots? My understanding is that most "air gapped" machines lack USB ports or have those ports plugged so as to discourage their use.

In terms of what they should be using to transfer data, that is outside of my wheelhouse. But the current system seems ripe for exploitation by a third party dedicated to gaining access to this machine that builds the ballots.

Yes, and since he's outed himself a point of failure, he's sure to be subject to spear phishing campaigns.
> isn't it straightforward for that virus to infect the thumb drive

Maybe not "straightforward", but, yes, absolutely, that would be a very likely vector. As I understand it, this is how the Stuxnet worm was designed (the one that sabotaged the Iranian centrifuges).

In India, there has been a debate going on for years that EVMs should be replaced with the old paper voting method. People against EVMs say that they can be tampered and results can be altered whereas the other side says it's very safe to use EVMs.
There had been live news reports on camera where any button pressed goes to one specific party, but only for n times & m times works normal; n being way bigger than m. Then, other reports say EVMs controlled by Bluetooth etc. Now one faction is asking EVMs with paper trail, one other asking for paper ballots, & ruling party wants only EVMs & all local & federal elections at same time.
At this point, I'm automatically suspicious of any party that says it's perfectly safe to use paperless voting machines.
It really worries me for US democracy that they don't seem capable of running an election in a way that voters feel confident that their votes are counted correctly. Bush v Gore in 2000 should have been a warning but nothing seems to have improved and now we even have a president who does everything he can to undermine trust in election results. Once people start losing trust in elections and other public institutions the door is wide open for a strongman who claims to clean up the mess by getting rid of the system. Trump is a start ("clean up the swamp") but things may get much worse.
Bush vs Gore led directly to the idiotic touchscreen machines. Florida's paper ballot mechanism sucked, sure. But touchscreens are far, far worse. People fell for it.
That particular system sucked (the 'hanging chads' come to mind), could have been easily remedied without going electronic though.
Bush v. Gore was a warning, and the response was to roll out electronic voting everywhere. This solved the very specific problem that was most prominent in the 2000 election: ballots that could be ambiguously marked. Unfortunately, there are far bigger problems to worry about and this change made them far worse.
As an aside, the original source of this joke, which a lot of people associated with election tampering, was cheap resistive touch screens that were incorrectly calibrated.

You'd push a location on the screen, but due to normal wear the location that the press was recorded was wrong, this would get worse the more wear the screen had and the longer between re-calibration.

Eventually people got videos of you'd push one candidate and another candidate to the left or right/up or down would receive the vote, often in different races.

This was a scandal in the sense that the machines were not fit for purpose, overly cheap, and poorly maintained/serviced. But it wasn't a good example of election tampering (just one that fit what a lot of people expected to see when tampering was occuring).

> He said that, a decade ago, the threats came primarily from “dishonest insiders or dishonest candidates” or criminals but that “everything changed in 2016.” Russia’s efforts to penetrate states’ and counties’ voter registration systems and to hack manufacturers’ software “presented a substantially new and much more serious form of threat.”

In short, as long as the ballot could be reliably corrupted only by the locals who'd been bribed the device manufacturer in the first place, the corruption was stable. But now there's an outside player.

Electronic voting is bad, and Ireland gave up on it, but it's not the only issue in election integrity. See also: gerrymandering/redistricting, voter roll purges, etc.

It seems to me that the problem in the US is that a lot of people think it's more important for their party to win than for the election to have integrity.
Well, yes; look at the decades of voter rights litigation. There's a long history of trying to suppress Black voting. So long as that's still going on there will be voting integrity problems coming from within state legislatures.
Here in NY (and I'm sure in many other places), you manually mark up a paper ballot with your vote. You then insert it into a scanner which confirms the ballot's validity and then drops it into a lockbox.

The votes can be tallied instantaneously through the electronic system, but if there's any irregularities the lockboxes can be opened and manually counted as verification. And you can open a small number of randomly selected lockboxes every election anyway, even absent any suspected wrongdoing, just as a check to verify that the electronic counts are working as expected.

How is this not the standard everywhere? Yes, there's more paper (and thus expense) involved, but surely having a non-hackable paper trail is worth it to protect our democracy?

I was at DEF CON the first time they did the voting machine hacking. Those did not fill me with confidence.

How do you tell if something goes wrong? I think what's often missing in these discussions is a need for automatic audits, too, even if not full audits initially but only for a small sample.

If there is anything wrong found in that first series of audits, then a full audit should be requiered by law and there should be severe prison punishments for those state officials failing to start and finish those audits in the specified time after the election.

Corrupt state officials should not be able to create any sort of delays or use them as an excuse.

I'm not sure how it's handled now, but what I'd like to see is after the election closes, a random method to select poll locations is used -- such as a lottery ball machine -- and those locations are then required to do a manual recount. No one has advance notice of which poll locations will do this, so there's no opportunity for cheating (eg, turning off a defeat device at the locations that will be audited).

If there are any differences in the count then additional locations are required to also do a manual count, and if more than two locations have differences, all electronic numbers are trashed and the whole election is counted manually.

In order to defeat this system, the attacker would need control of the lottery ball machine. But we're already assuming that the attacker has control over some of the election machines, so while this is still strictly better, it's small comfort.
How do you tell if something goes wrong? Well, if you hand-count a voting machine, and it gives you a different result from the machine, then you know something went wrong. And if you hand-count a bunch of machines and they all have the same misbehavior, then it's time for throwing out the machine count altogether.
In Australia it's all hand-count, with machine count for verification. Specifically ballots are sorted by volunteers on election night to do the preferential voting, and then the stacks are counted and checked by essentially bill-counting style machines. Discrepancies mean someone else does a count and recount.

The key to all of this is involving as much of the public as possible though: democracy is government by the people for the people, the people need to be involved in its operation. The only way you dispel the idea of rigging is by ensuring a large plurality of your population was involved each time and would attest to their neighbors that they saw no misbehavior.

Electronic voting is based on trying to take people out of the process - it misses the point.

This is the point I always try to hammer home.

The inclusivity of paper voting is amazing. It doesn't matter if you are young or old, black or white, highly educated or illiterate, rich or poor, just about everyone can count ballots.

And if you think someone is trying to fuck you over, you too can go count along or watch that ballot box all day to ensure nobody is tampering with it.

Get a few hundred people in the same room that all don't trust one another and all count along. That's how you run an election.

..and we verify that everyone actually voting is who they say they are.
False voting is a severely overrated problem. It doesn't scale. One person might be able to make a fake vote/registration, or even a few of them. But enough to materially affect the outcome of an election? That requires an organized effort with likely thousands of people involved. Such conspiracies are impossible to keep secret.

Don't let something that feels wrong steer you away from much more severe and likely problems.

A large conspiracy would be caught instantly. But it doesn't have to be a conspiracy. If people know they can vote multiple times and can't get caught (and w/o checking ID I don't see how they can) a certain number will decide to do so. I can't say how often this occurs, but how can you even measure it to determine if there is a problem without some sort of ID verification system at the polls?
I don't think it's a problem that happens, though. If you're going to fraudulently rig an election it's vastly cheaper to do so by rigging the polling station than it is by faking the voters.

But by introducing voter ID systems you are very likely to skew elections away from the people least likely to possess accepted ID, i.e. the lowest socio-economic groups.

> I don't think it's a problem that happens, though

But how do you know. That's the issue. If P is the probability of getting caught, and C is the number of people caught then N ~= C/P. With our current system it seems like P is close to 0 so even with C = 0 there could be a lot of successful attempts.

Rigging a polling place is not viable because it would require coordination between multiple people and leave a clear mathematical trail after. So I would say that, including detection after the fact, that P > 0.5 and that the fact that it hasn't been caught means that N = 0.

> But by introducing voter ID systems you are very likely to skew elections away from the people least likely to possess accepted ID, i.e. the lowest socio-economic groups.

This is pretty much separate from my point but I am also skeptical about this. If someone can get to the polling place, stand in a line, and do paperwork to vote, then why could they not do pretty much the same thing to get an ID?

Apples and oranges. Polling costs nothing; ID costs money. Polling places are usually within walking distance of home (at least in urban areas); license bureaus are scattered and distant.

My polling place is two blocks from my house. I can walk there, vote, and be home in 20 minutes. Last time I had to renew my license, it was a three hour ordeal that cost me money and an afternoon of work, and the nearest station is miles from my house (in a dense city).

This is a good point. Would be fine with SSN as a unique identifier with no paperwork presented. Would be as easy to fake as current system, but would generate an obvious signal when there is a fake number or collision.
> Rigging a polling place is not viable because...

This argument is sounds great but doesn't match reality

https://i.redditmedia.com/NITi8srtcW0xIfOQXPZda6zJNrpb_jRbwg...

Edit: Link to the paper: http://www.pnas.org/content/pnas/early/2012/09/20/1210722109...

Ok, rigging a polling place in a well-designed system under rule of law is not viable.

Consider the Minnesota example. In MN, all physical ballot handling, whether marked or unmarked, sealed or unsealed, must be done in the presence of members of at least two different political parties. Since the only ways to rig an election at the polling place are to either add, remove, or substitute ballots, this makes such fraud extremely difficult to do, especially at scale.

Of course it's possible. And it probably happens. But can it realistically affect the outcome of an election?

As I've said, about 1.5M people vote in Minnesota alone. Altering the outcome by 1% would require 15,000 additional votes. And this would need to be completely one-sided, so the "anyone can do it" threat you bring up should cluster around the mean - about the same number of "extra" votes are cast for each side.

Don't get caught up in scope issues. The problem we are trying to solve here is the legitimacy of elections. Does a little noise around the edges actually undermine the legitimacy of the outcome? Can it do so?

Also, remember there ain't no such thing as a free lunch. Any mechanism that detects multiple votes by the same individual will produce a number of false positives - thus denying people who are not cheating of their vote. This is actually the pernicious, immoral logic of Voter ID laws in the US. They're marketed as ways to prevent fraud, but the actual intent is to reduce turnout in certain (mostly poor) communities. This is why support for these laws is so deeply partisan - one party is pushing for them, and one is fighting them, and the party pushing for them isn't actually that interested in fraud. Their political interest is partisan advantage, and their mechanism is misleading citizens about their intent, so people will tolerate what should be intolerable.

Scope and distribution is a good point, and I'm not trying to say that this is an issue that routinely affects elections (and if it is I would look at small local elections with tiny turnout), but it can't be disproven in the current system and this is a problem.

A system that ties each registered voter to a unique ID which is basically implemented for you if you require ID at the polls will have a false positive rate of ~0 much lower than our current system. This is actually a side benefit.

That fails to address my points, either that there will be a cost in false positives (have fun stopping that), or that the motivation for making political hay out of this is partisan advantage from the false positives, not actually reducing a threat to democracy.
Actually pretty easy. Thought of it after that post. No physical id requirement. Look into camera and enter SSN/DOB/name into PIN pad. If no match no vote. In case of identity theft there will be a collision and in that case let them through but send the photos and data to the police to arrest the faker.
Fun fact, not everyone has a social security number, and they thus aren't required to vote. There is no single national ID number that would work for this purpose. The closest thing would be some kind of state-based voter registration ID, but no one is going to have that memorized.
Florida's election fiasco in 2000 won Bush the election.
Yes, but that was a completely different issue from fraudulent voting (which wasn't found at any scale there); rather, it was a problem of bad ballot design and bad voting machines that didn't fully punch through the paper.
I would expect there to be a high number of cases where a person goes to vote and is rejected because "they" already voted. Is that not sufficient to raise the voter fraud flag without adding additional friction at the frontend?
As an Australian living in the US now (where voting is ... interesting) I now recognize how awesome the Australian system is.

The other great thing not mentioned here is that elections are run by the AEC, a non-partisan commission.

They are also in charge of redistricting.

So you don’t have gerrymandering and you don’t have BS going on like what happened in Georgia where they “accidentally” wiped all the data 3 times when subpoenaed by the FBI.

Add to that compulsory voting, elections always run on weekends, and a thousand other small things and it’s like one country wants you to vote and the other does not.

> Well, if you hand-count a voting machine, and it gives you a different result from the machine, then you know something went wrong.

And you'll probably have to ask someone who's not in the room about what went wrong. With human hand-counts, the person you need to ask is already sitting there. No mystery, no confusion.

aka a recount. Rules vary by jurisdiction. eg When a contest is close.

Some places already do partial recounts. It is expensive. Most jurisdictions don't have the budget.

One thing I'd like to see is that every ballot gets a UUID assigned when it is cast. You get a receipt. All votes get published on a public web site. You can tally the votes yourself if you want to check the accuracy of the reported totals, and you can check your own ID to see that the vote was recorded accurately.

It's not a perfect idea, but I like the upsides more than the downsides.

This is unfortunately dangerous. It means that you can provide proof of your vote to others. That's no good; it makes buying votes or punishing workers/family members/whoever for voting the wrong way much easier.

That said, there are some really interesting non-interactive zero-knowledge proofs for elections that accomplish what you're intending without this flaw. Their main downside is that, compared to tallying, they're complicated.

> How is this not the standard everywhere?

Largely because election officials are also not computer security experts (or even serious amateurs). Therefore when "big corp" comes knocking with their newfangled electronic touch screen voting system that promises fast, effortless tallies and "security" (it's, right there, the box is checked on the ad brochure...) the election officials have no background with which to be skeptical of "big corp"'s products re. security. And with the promise of "effortless, instant, tallies" (vs. a long overnight counting paper manually) they see the newfangled thing as an improvement over that which they do understand (the long overnight counting paper).

The election administrators I've met are knowledgable.

This is IT. When have the technical experts been empowered to make purchasing decisions?

To know, is to know what you don’t know.

If you are buying IT and you aren’t sure about some spec, security apparatus or venerability, then you can’t be considered knowledgeable.

No one can be expected to know everything but then they should be surrounding themselves with experts and counseling with them ad nauseam

NY's system is pretty good.

Something you don't mention but is another nice bit is they have poll observers from each major party watching at each elction site.

One thing they don't have but I wish for is that, after the machine-count totals are in, each party represented should be able to name a small number of precincts for an audit/hand recount. Parties at this point have pretty good modelling of expected results at a precinct level. That would give a cheap way to get lots of certainty against tampering of the machine vote counting.

Georgia had a very similar system, at least in my county, in the late 1990's. Then after the 2000 election we threw away the convenience of electronic tallies with the security of paper back up for the Diebold touch systems. I always feel like voting with those machines is just theater. There's no way for me to validate my vote.
This is not bad. Need to think about it... edit: Consider it is scanned after voting has closed instead, during counting. Does that change the characteristics of this system with respect to trust etc?
That would give up one very valuable feature, namely, that scanning it at the time you're voting gives you immediate feedback about the validity of your ballot. If you accidentally voided your ballot by voting for more than the allowed # of candidates in any given election, or if you didn't bubble in the ovals properly and it can't read them, then your ballot will be rejected and you can fill in a new one. If you wait to scan until after voting has closed, then the person's vote will be thrown away instead of fixed.

Also, how are you going to scan all these ballots after voting has closed? That would require opening up the lockbox, which tampers with the security of the system. Plus, you're no longer getting results instantly; you'd have to wait until the polling place is closed down, and then open up the box and scan all the ballots. What possible advantage does this have? It'd just slow everything down.

> “I don’t know any conceivable way you could change Georgia’s election system . . . in a matter of weeks,” said Cathy Cox, a former Georgia secretary of state who oversaw the 2001 study that led to the state’s adoption of DREs. “It would be chaotic beyond belief.”

Oh yes, it would be awfully hard to make this switch in a matter of weeks. But this time crisis was created by negligence, since it's now been 2 years since officials were made aware of the problem.

> The unsecured server that Lamb exposed in August 2016 is part of an election system — the only one in the country that is centrally run and relies upon computerized touch-screen machines for its voters — that is now at the heart of a legal and political battle with national security implications. > > “I was absolutely stunned,” Lamb said of his discovery of the exposed data. And he was angered when six months later, despite warning officials at Kennesaw State University’s Center for Election Systems (CES), which housed the server, the data was still publicly accessible online.

Unfortunately it seems at least one of the people (Cathy Cox) responsible for this system is no longer in a place to be held accountable. She should be tried for negligence, along with the other administrators/politicians that drove deployment of this system.
If they’re forced to switch, it will be perfect cover for the governor to conduct a voter disenfranchisement campaign.

Whoops, there aren’t enough paper ballots in some precincts? I wonder which ones. Boy, we were forced to do this in such a rush I guess we made some mistakes.

Thought this was gonna be about the country :/
I've said this before, but I'll say it again because it's always useful in these threads...

I believe that a well designed paper ballot system is superior to any paper-free system. Furthermore, I think the concerns of the general public about what is actually problematic in elections (and what solutions can work) are generally wrong. I'm basing this on my experience as an election judge in Minnesota. I'll describe the system, and you can decide for yourself.

Minnesota uses paper ballots read by Scantron machines - the sort of bubble-marked sheets you used for tests as a kid. We have same-day registration and provisional ballots available for unregistered or incorrectly registered voters. We do not require ID for ordinary registered voters. There have been two statewide recounts in recent years - the 2010 governor's race, and the national-profile 2008 Franken/Coleman Senate race recount.

Now, the process. First and foremost, all activities that require handling ballots, whether marked or unmarked, sealed or open, must be done in the presence of representatives of at least two political parties. It is flatly illegal for one party to handle ballots alone. This prevents all sorts of fraud - either adding fraudulent ballots, or removing marked ballots.

Second, a simple paper tally is kept of the number of ballots cast in each precinct. At count time, the number of votes counted by the machines must exactly match the number of ballots given to voters. A mismatch triggers a hand recount of the precinct and a bunch of other validation bureaucracy. This checksum also prevents the addition/subtraction of ballots at the precinct level.

Voter machine tallies are spot-checked by hand counts of individual machines - not enough to slow down the process, but enough to insure that there was no large-scale alteration of machine behavior.

Registered voters are on paper rolls. When a registered voter arrives, their name is marked off the list and they are given their ballot. If someone tries to vote twice as the same person, it's caught (and triggers bureaucracy). Their ID is not checked. Same-day registration requires ID and proof of precinct residency; the valid documents are well specified (utility bills, etc).

Political parties are invited to have poll monitors at any and all precincts, to keep an eye on the process. The poll watchers do not touch ballots or participate in the count, but are welcome to observe. They can also challenge individual voters, which makes ballots provisional and may lead to ID requirements. (I remember in 2004, the Democratic poll monitor was convinced the Republican monitor would challenge every single brown-skinned person in the precinct, and the Republican was convinced the Democrats would bring busloads of fake voters in from Wisconsin or something. Needless to say, both were wrong.)

The result of all of this is that highly accurate informal counts are available on election night, thanks to machine voting, but manual recounts are always available, thanks to the paper. And the integrity of paper ballots is strongly protected by process.

The only even arguable gap is the idea of fraudulent voting by using other people's registrations, or fake registrations. But actually doing this at a scale large enough to matter is difficult and risky. Minnesota presidential elections draw about 1.5M voters. To alter the results by 1% would require 15,000 fraudulent votes. If someone could vote once an hour, they could maybe vote 15 times. You'd need a thousand people, with training, transportation, and written data. It's hard to keep conspiracy at that scale secret.

So yeah. This is trustworthy. And it's simple. It doesn't require exotic technology. It's mostly just good bureaucracy.

As a fellow Minnesotan I have high confidence in our election system due to everything you described above. Given that, it's probably not surprising that our state regularly has among the highest voter turnout in the nation.
Every time I see in the news about how Georgia or Ohio or some other barbarian backwater is having trouble doing something as straightforward as having a reliable and trustworthy voting system, I want them to just adopt our model wholesale.

I'm sure the Great State of Minnesota would be happy to host representatives from other states, offer them our laws and process documentation as a model, and advise them in joining the world of effective and trustworthy democracy.

I do not understand why paper ballot would be difficult to achieve, that is the easiest to do!

I never voted in the US, but the system seems overly complex for such a simple exercice. Here in Canada, we have a paper ballot (http://www.elections.ca/vot/yth/stu/gui/images/dxsmp1-e.jpg), which is pretty simple. The vote is done, the stub is tallied and 2 people need to verify the vote before dropping it in a sealed box. When the polls close, the votes are counted, by multiple persons, by hand. Nothing electronic.

... and there is a single vote at a time, no votes on laws when electing representative, etc. That is just non sense.

In case you missed this finer point, the Secretary of State who has certified these machines is also the candidate expected to win the election by a small margin. He has refused to recuse himself from the responsibility of ensuring a fair election.
Kris Kobach had the same arrangement in Kansas recently, he ran the election and was a candidate. He won very narrowly and many people suspect he stole the election.
And this is another angle to the problem. Even if everything was on the level, just the perception of corruption increases cynicism and decreases political engagement.
I feel like a broken record on this topic. It drives me crazy.

ON-SITE OBSERVERS.

If any person wants to check the vote they should be able to stand there and watch the whole thing and then demand a manual count on-site immediately afterwards. No bringing ballots somewhere else to be counted.

Democracy is how we stop violence from deciding resource allocation. It will be undermined if it is at all possible.

Also, I really hate how electronic voting machines instant tally elections. We had that here in Ontario[0] and completely aside from my security concerns over e-voting, having the night end in a single minute ruined the normally fun nail biting as the results came in on CBC.

[0] Which, by the way, did not allow me to be an on-site observer. Do I distrust Elections Ontario staff? No, but I shouldn't have to trust people. This is a fucking election. I ran the last federal one as a DRO. All paper ballots are 100% secure. The fucking e-voting lobby is evil.

In Minnesota, we allow on-site observers. They have to follow the rules, but they can watch, and have certain privileges (such as being able to challenge a voter's registration, turning their ballot into a provisional one).
> I really hate how electronic voting machines instant tally elections.

I understand the sentiment, but I dont think entertainment should be any kind of factor in this decision.

> I shouldn't have to trust people.

Verification systems are great (I fully endorse the electronic-for-convenience-backed-by-paper system), but ALL systems require that you trust people. The key is to have sufficient verification, both instant and later, to make fraud difficult, detectable, and provable.

The only trust worthy system is built on mutual distrust.

Please sign up to be a poll worker. Then you'll see first hand how it works.

I generally agree with your statement about trust systems - but my point is that we have to end up trusting a lot of people anyway, even if it is a matter of trusting the people that design the systems. I can't verify everything about my life and still have it. So we need to design not only based on mistrust, but also include post-facto verification systems so if questions are raised we can go back and apply the distrust we were too busy to do originally.

I was going to say that I can't sign up as a poll-worker because I'm in a mail-in-ballot state, but it appears I'm wrong. I'll look into that - it's definitely an accessible (for me) form of civic service. Thanks for the suggestion!

The core difference is that if you trust, say, 5 people. You can quietly send them to 5 random polling stations and get them to relay back what happened.

Basically even the extremely conspiratorial can trust the election if there are observers that can be there from start to finish. Saying "just trust our government's employees" is not a real solution.

>I understand the sentiment, but I dont think entertainment should be any kind of factor in this decision.

Note that the above poster was talking about Ontario. Canada has a different relationship with election results. It is illegal for Canadian results, including entrance/exit polls, to be announced prior to closing. In the US this would be seen as a radical freedom of speech issue. In Canada it is normal. In the US it is normal for people to see initial results and perhaps rush in to vote, or stay home if their candidate is leading. US politicians also regularly concede defeat based on preliminary results. So someone fiddling with the display of preliminary electronic results can, in the US, directly impact the final tally.

That isn't a thing in Canada. We don't expect to know anything until after polls close. So we have no need of "instant" tallies. Counting happens during the day but results are not published. Electronic voting might speed it up a little bit, but never would we get close to the instant feedback possible in the US.

> In the US it is normal for people to see initial results and perhaps rush in to vote, or stay home if their candidate is leading.

Is it? I was under the impression that most everyone had adopted a voluntary policy of not reporting exit polls prior to closing, at least since 1980, so that's just shy of 40 years of not doing as you describe. I've certainly been ignorant of results until polls close. I recall estimations of "turnout by party" and "what issues motivated you" prior to closing, but not how people ended up voting.

> It certainly doesn't have anything to do with entertainment.

How do you think the OP meant about the "normally fun nail biting" experience that is electronic voting "ruined" by ending "in a single minute"?

> All paper ballots are 100% secure.

What do you mean by this? It seems to be a claim that election fraud wasn't possible before the development of electronic voting?

The paper ballot doesn’t change once you take your eye off it.

Of course election fraud is possible in any system, but it is really easy to make it practically impossible in a paper system by simply allowing observers at any stage of the process. The system is so simple that anyone can detect wrongdoing. That is of course not true with all-electronic voting.

This is very much an outsider with no skin in the game making suggestions...

Considering that the US is a federation, would it not make sense for the federal government to run local elections as a service?

This is on the back of another idea that has been floated around for elections in regions where "free and fair" is an aspirational goal. I stead of an international body certifying elections, it might be better to have a 3rd party run the elections, and make all the implementation decisions.

..just to keep a separation of powers between election system and candidates running within that system. Similarly, as referendums are increasingly important in many European locales... we need a more nonpolitical body empowered to finalize the wording. A president perhaps, for "westminster-like" systems.

> Considering that the US is a federation

> fed·er·a·tion

> a group of states with a central government but independence in internal affairs.

Your conclusion from "Federation" seems off; importantly, this upcoming election is solely for internal affairs (Governor, SOS).

Beyond that, it's important to note that each state can have their own way to assign electoral votes for presidential elections, some are winner take all, a few split on percentages.

The federal system here is fairly weak, by design -- and the ideology of that weakness is still prevalent. Making this shift would probably require more arm-twisting and political capital than the federal government can apply even when federalists are in power. There's a latent suspicion of the federal government in the electorate here that is usually pretty easily activated.

I'm also not sure I see the advantage to centralizing this. It's a case of "many hands make light work". There's a lot to do to conduct an election. Breaking the task among lots of basically autonomous units, made up of local individuals instead of some faceless Washington bureaucrats (see, there's that latent suspicion ;) gives some resilience -- and helps voters feel connected to the process.

Also worth noting that although the structures of the various intra-state governments are broadly similar, there's plenty of differences that would be a pain in the neck for a federal administration.

Hand counting of paper ballots is a highly parallel process that can be done quickly at any scale. The only reason to introduce counting machines is so that someone can extract money from it.
I mostly agree. We should be hand counting all ballots. But also incorporating a counting machine could help improve reliability similarly to a checksum. If the hard counted and machine results are not identical, then recount because there was a mistake somewhere.
FWIW, most proponets of hand counting advocate "sort & stack". For elections in the USA, that means a count per race / issue. Some jurisdictions can have over 30 per ballot.

Further, each precinct has to be tabulated separately. The poll site I ran for years had 5 precincts, roughly average. We'd have 400-800 ballots per election, depending.

One change that would make manual counting more feasible would be to split our ballots into federal, state, local.

Every election administrator I've ever met opposed manual counting. Mostly because it's a lot of work.

A group of intended to run experiments to determine the effort, cost, accuracy of manual counts. Simulate a real election, eg print up marked ballots where the totals are predetermined but not known to the counters. Alas, we never got our act together before every one burned out.

PS- Any tabulation method has to accommodate marking errors, aka adjudicating voter intent.

Electronic voting also makes it easier to manipulate the results of elections.
Paper voting is a waste of resources. And can be frauded the same way as electronic voting.
Ah yes, it's famously easy to remotely change thousands of pieces of paper that are locked in boxes.
We should also have ICE on hand to prevent any foreign interference with the election! Russian agents can't interfere if everyone is checked for citizenship at the polling place.
You can only do that in countries which issue mandatory national ID to everyone. Otherwise it's a license for ICE to check ID only of nonwhite people.
who said anything about skin color? what is in place to stop foreign nationals from directly influencing our elections?

They should check everyones ID especially white people, we cant have Russians voting in our elections!

(comment deleted)
As a Georgia resident, this is highly disconcerting. I would be quite happy, willing, and patient with polling precincts had to switch to all-paper ballots if it meant guaranteeing that my vote was accurate and actually counted.

While I almost never vote for a winner, since I'm an outside middle-ground voice in this extremely conservative state (on the whole), I at least want the confidence that my vote wasn't tampered with. Right now, I have no such confidence. Yet I will still vote because it is my right and not voting is not the answer to this problem.

I think the onset of election season has caused these types of articles to become in-vogue. I have been surprised by the reactions of what is mostly a tech savvy community. Full disclaimer, I work at a voting tech company as an engineer, and just wanted to give my 2 cents.

- Paper ballots and Risk limiting audits do not actually constitute a perfect solution to this problem. They do not constitute what is considered an End to End verifiable voting system. You cannot actually definitively know that your vote was counted in the final tally, and cast as intended. The Risk limiting audits as currently structured can only verify that a computer counted a small sample size of votes as a human would. It cannot confirm all the votes were counted, or that your vote was not tampered with.

- Paper ballots also do not address the needs of folks voting over seas, or those affected with disabilities.

- When current election systems are often described as easy to hack, the systems referenced are often hardware that is 10-20 years old. If you look at the landscape of the Election's industry, there are only 3 vendors that account for over 90% of the public election market share in America. These system's were put through certification many years ago, and continue to operate through those certifications. The result of an inability to innovate in this space, is that we will continue to use those systems (that many perceive as vulnerable) for the foreseeable future.

- Smaller election vendors are encouraging the idea of recurring certification, as well as more stringent certification requirements.

Most people who use these forums are very capable of understanding concepts like Asymmetric encryption, checksums, and other tamper proof methodologies for high value data. If you can trust the idea of an Encrypted e-mail server ( e.g. Lavabit ), or encrypted chat servers (Signal), it should not be hard to imagine that there is a secure way to conduct elections electronically and through the internet.

Finally, given how the past few decades have progressed, it seems that you would be on the wrong side of history to say that electronic voting cannot be done safely in a digital form. The process needs to be secure, but it also needs to be convenient, safe, fast, and trustworthy. Observing a few votes being cast in your polling station is nothing compared to observing every vote being cast for a given election.

> it should not be hard to imagine that there is a secure way to conduct elections electronically and through the internet

It's hard to imagine because it's completely impossible. In most of the world not being able to prove you voted for someone in particular is considered a key characteristic of the vote. No internet based voting guarantees this.

> Finally, given how the past few decades have progressed, it seems that you would be on the wrong side of history to say that electronic voting cannot be done safely in a digital form. The process needs to be secure, but it also needs to be convenient, safe, fast, and trustworthy. Observing a few votes being cast in your polling station is nothing compared to observing every vote being cast for a given election.

Throwing around claims of wrong side of history would be just an insult it wasn't so dangerous. Paper voting is not secure because you "observe some votes being cast in your polling station". It's secure because each polling station is staffed by political adversaries that do the count together of every single ballot. This is much better than the level of systematic verification than you can ever even attempt to do to your huge stack of software and hardware. It's also a kind of verification that everyone understands and so it effectively convinces the losing candidates they actually lost. Which is as much of an important characteristic of a voting system as getting good counts.

So get off your high horse. Apparently you design these systems and don't understand the actual safety characteristics of the paper count. The kinds of attack surface electronic systems add is huge and yet they provide no actual advantages to properly run elections. The thread is already full of examples so I won't add more but it's telling that in most of the world this isn't an issue at all because we just run our simple, cheap, reliable and fast process like we've always done and forget about it.

I found this medium article investigating fishiness in Georgia elections a couple weeks ago. https://medium.com/@jennycohn1/georgia-6-and-the-voting-mach...

Kathy Rogers was GA election director, now has a golden parachute at the company who manufactures electronic voting machines for GA. She came to my attention for writing a menacing-but-technically-incompetent letter to DEFCON vote hacking village attendees.

Skeptical because only published on medium, but seems like Cohn might be onto something.

The only electronic voting machine I would ever trust wouldn't have any more hardware capabilities than a TI-81 calculator. It doesn't need it, and every bit of extra bullshit and hardware and layers of software is a security vulnerability. The only other problem I see after doing that would be whether or not to publicly release the hardware diagrams. Maybe have the gaming commission verify the machines like they have very successfully done slot machines and electronic gambling machines.