I like this trend towards e-voting since it seems to be influenced by trends in cutting edge blockchain technology like decentralised autonomous organisations. It means that novel types of national governance may follow from blockchain governance models, such as liquid democracy.
This would be a vast improvement over our current representative democracy model since we'd be able to hold politicians accountable more easily, lobbyists would be less influential and we could put our voting power behind domain experts for issues of importance.
The German Pirate Party tried liquid democracy, and the result was similar to what's going in Wikipedia: There's a small set of people with more time on their hands than it good for them or others, and it doesn't take long for them to take over.
I'm confused, why would a small set of people with time on their hands be able to compromise a liquid democracy? Are there not workarounds to the problems encountered? Interesting how we iterate so often, yet are so concrete in our conclusions about improvements to our own governance.
As one of my friends (and no a local councillor) who was involved in Conservative politics at uni in the UK said it gets taken over by "a bunch of drunken yahoos".
She was taking about the FCS and People like Guido Fawkes.
Oh "Yahoos" refers to Jonathon Swifts Yahoos not any one employed by Yahoo
A lot of these proposed solutions in first sight look like solutions, but I've yet to find a "blockchain" (or any other buzzword) system that offers clear advantages. In practice most of the times it's plain old ploutocracy or founderocracy disguised under the veil of a new tech (with the help of an "innocent non-profit foundation")
Although not witout issues, the overall trust seems to be pretty high for e-voting(and voting numbers confirm it). And when voting, papervote always triumps digital one as last resort.
I also think this is one thing that also gets more young people to vote. They are familiar with technology and so used to doing everything online. For example I would have not voted for the last couple of elections if digital voting would not have been available.
As I replied to the another guy under this parent, any analysis done on previous years it absolutely out-of-date by now. We'd need new reviews to make a proper assessment how (in)secure it is.
They have also changed the wifi password that they had made public in one of their youtube videos via a note on the wall.
(Sure, it was the guest-wifi but still)
That is worrying. How do you know that the voter could vote freely and didn't sell their vote? Corruption around vote-selling is a concern in certain ethnic enclaves in Britain, and there were even elections annulled over that. The foremost concern shouldn't be convenience, it should be that the vote is safe and secret.
You don't. Which is why this should definitely not be used for important votes like these. It may work fine at first but the attack surface on your election (and thus on your democracy) has just increased massively.
What is stopping The Public from watching electronic ballots just as equally as electronic ballots?
If I wanted to see paper ballots, how is that different from wanting to see electronic ballots? I'm not confident that I could successfully petition Government for paper ballots just as much as I could sue a given contractor for same electronic records.
If I want, I can go down to my polling place before it opens, inspect all the boxes to be empty, watch as people put their ballots in, then watch as the boxes are emptied and the ballots counted. If I'm not allowed to do all this, I can't trust the vote unless I trust the people that administered it.
Electronic voting always requires trust in the administrators.
When someone writes something on a piece of paper, puts that piece of paper in a box, and later I see someone reopens that piece of paper then I can be reasonably confident I see whatever the original person wrote on the piece of paper.
I have no such confidence in electronic messages. Unless they're plaintext.
Because the count is done by representatives of each party together and each of them won't let the others steal for their side.
The characteristics of paper elections are well understood and can be shown to be sound very easily to any common citizen. The massive attack surface of electronic elections is poorly understood even by technical people. It's a massive amount of complexity and expense for exactly zero gain.
>That is worrying. How do you know that the voter could vote freely and didn't sell their vote?
Historically, vote buying in the UK and the US used to be rife until it was cracked down upon (which came after it was made illegal). Once that happened it completely disappeared.
For voters to sell their votes, somebody needs to advertise that they are willing to buy their votes. That advertisement makes them easy to detect, track down and prosecute.
Vote buying doesn't worry me in this system but hacks certainly do. It gives the impression of being a very insecure system.
yeah but part of cracking down on vote buying has to do with making it difficult to track if you actually did vote for who you said you would, with online voting it becomes totally possible to track you did the vote, give it to the guy who has promised to pay you, forgive your debts, the debts of your son, not beat you up, allow you to keep your job etc. etc.
>yeah but part of cracking down on vote buying has to do with making it difficult to track if you actually did vote for who you said you would
That isn't necessary to prevent vote buying. Vote buying is easy to detect because advertising in secret is impossible. All that's required is the political will to look for people wanting to buy votes and come down hard on them when they're detected.
Moreover, if you do do away with the ability to track then you open up the electoral system to other forms of abuse that can't be trivially eliminated with police and stiff sentences.
>it becomes totally possible to track you did the vote, give it to the guy who has promised to pay you, forgive your debts, the debts of your son, not beat you up
If I were to define "secretive electoral fraud that could never possibly scale" I would define it as "I promise not to beat you up if you vote for me".
Do you think every election ever held that can be worth money and power is the size of the U.S National Election?
As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.
I mean definitely making it not worthwhile to buy votes because you will not be able to tell if you got what you paid for seems a more foolproof strategy than make it possible for people to determine what they paid for but threaten to throw them in prison if they do.
on edit: corrected second use of word money to power.
Are you saying that it's small enough that you can sway the election by threatening to beat up every voter?
That's a brave claim.
>As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.
there is ZERO profit to be made in vote buying if you are thrown in prison after purchasing your 9th vote. You'd have to be enormously stupid to even try.
that's why vote buying doesn't exist. that's why it's not like drugs. It's not because you "can't tell people" who you voted for. It's because it's trivial to detect, easy to crack down on and there's nothing to be gained by risking it. The only time when there was something to be gained by doing it, it was because it was COMPLETELY LEGAL.
Let me repeat that: the only time in history it was ever a problem, it was because it was LEGAL.
I want proof that my vote counted because that helps protect against the kind of threats which DON'T disappear just because they're made illegal. I don't need people like you telling me that I'm not responsible enough to get proof because I might sell it.
>Are you saying that it's small enough that you can sway the >election by threatening to beat up every voter?
>That's a brave claim.
No, generally the way it works is letting the word get out that if people vote for X you will come kick their ass later. For example if go beat up vocal supporters of X before the election and shout we're going to kill you if you vote for X, we know who votes for who because our hackers can see it online fools. Then people might be, oh I don't want anyone coming by my house and kicking my ass after X wins. So I will either not vote, or I will vote for Y so I don't get my ass kicked or even killed, sob.
If we think you voted for X and we come by your house you better be able to convince us you voted for Y! That actually scales pretty good because you only have to publicly hurt a few people before the election, and then hurt a few people after the election if X actually loses so the next election people will be well I better vote for Y and prove I did it. And people now have to actually vote for Y and show they did.
I mean the thing you're saying about the only time people ever bought votes was when it was completely legal, maybe that was true - was it also possible to prove who you voted for? I mean I don't know what you are actually referencing with your completely legal vote buying line but the implication that people would not buy votes to get power seems if it were illegal to do so seems incredibly silly given all the other illegal things people do to get power.
ok it is true that with sufficient technical prowess one could fake that they did the vote, but as a general rule hold your iphone up in front of the monitor and make a video of you doing the vote would be a good enough solution for most criminals.
I think 19th century? Not too sure of the exact dates. I do know that it persisted for a while after it was made illegal and then disappeared completely once it actually started being prosecuted.
Vote buying could still re-emerge but it can only flourish in an environment where you can do it openly with impunity - i.e. it's legalized or the cops for some reason think they can't touch you.
Your first link doesn't appear to be about vote buying (looks like low level postal fraud which is something else), the second is only about allegations (and again, postal fraud) and the third link looks like a 404 to me. I would be surprised if anybody's seriously attempted vote buying in the UK in the last 70 years.
It also became much less cost effective after the franchise was extended - when UK Constituencies had a small number of voters it was more practicable - see the Blackadder episode "Dish and Dishonesty"
How exactly do you propose vote buying would work? Somebody has to advertise it, somehow validate results, and then engage in widescale monetary transactions in a method that would appeal to a significant number of voters. All while also somehow avoiding all legal issues in the process. And this all needs to somehow be more effective than the typical pattern of just dumping millions/billions into half truths, mudslinging, and the other noble arts of modern politicking.
By contrast, I do think high level integrity of a vote is something we should be constantly vigilant towards. Was your vote counted? Was it for whom you wanted it to be? Integrity and validation are areas where e-voting could pull far ahead of traditional paper voting. As a nice thing you'd also have instantaneous and 100% accurate results instead of this silly 'Let's have the supreme court decide who won.' type affair.
Are you implying that vote buying and voter coercion are theoretical threats? They are real and very common problems even in old fashioned paper ballot elections.
The article answers that. You can cast your vote as often as you want; only the last vote cast counts. So someone could coerce you to vote A (often a spouse), but afterwards you just go and vote again for B.
Of course that requires having the opportunity to vote again, so the solution won't deter anyone determined enough.
With paper ballots that problem exists too when you can authorize another citizen to vote on your behalf (this tends to be limited to one or two extra votes per person).
> You can cast your vote as often as you want; only the last vote cast counts. So someone could coerce you to vote A (often a spouse), but afterwards you just go and vote again for B.
How does this help you? If some one can coerce you once, they can coerce you again (and coerce you in showing when you voted last). Your assumption seems to be that the person forcing one does not understand the system.
Not my understanding; just how the system is explained there. I would guess that after casting the vote you can only see that you voted, not when. The only way to ensure someone votes the way you want them to is to wait until the very last moment (or just take away their identifiers).
Again, this is no different from using another citizen's mandate to vote for them, and it doesn't scale.
Of course there are plenty of other problems with e-voting that remain unaddressed.
How do you avoid it with paper ballots? When your union boss tells you, "send me a picture of your ballot and ID from the booth, if I don't see a mark next to the Foo party, you'll have a problem", you either can spoil your ballot or vote for the Foo party.
Just to avoid people collating together all e-voting (voting machines and similar) with the tech that Estonia uses (they call it i-voting for that reason), could the title be changed from "e-voting" to "i-voting"?
"The system has been designed to ensure that voters' computers are not infected by any kind of malware that could change or block their vote."
I'm sure this cannot be subverted by an attacker with the resources of USA/China/India/.., or with access to the supply chain from the chip fab onward (don't forget about malware hidden in USB cables!), or or,...
And you'd have to be dead sure, because, unlike with physical votes, there will be few-to-none signs of subversion. You can vote physically, but what do a few physical votes matter when the attacker can change the vote of 30, 50, 70% of the population.
And how do you change the system, when all parties promising to do so can't get enough votes?
Now you can demonstrate to anyone what you voted. That's how you get people selling votes. In any reasonable election system you need to be able to be sure your vote is being counted without at the same time being able to prove who you voted for. The demands of voting are incredibly unsuited to digital systems and definitely to any online voting. For every layer of extra complexity you add there's either a way to subvert it to break another of the essential guarantees of voting or to use it to DoS your election.
Can't you hash a signature of some manner to your vote in a manner only the individual can know how they voted? After all this is exactly how login/passwords work.
You can film yourself voting now. Vote buying is not a serious problem, and can be readily solved by stiff jail time for attempting it, and large monetary rewards for reporting on people doing it.
If you get 10 years in prison for trying to buy votes, and the government offers a standing reward of say, $100,000 for evidence that leads to a conviction, all of the sudden you have to pay substantially more than $100k/vote, which means that it's completely impractical to engage in.
Those kinds of penalties and worse don't stop organized crime, for instance.
Politicians also tend to do all sorts of crazy, risky and/or illegal things to get elected or for personal profit. Nixon and Trump spring readily to mind.
If the reward is large enough, someone will risk it. Sometimes the reward doesn't even have to be large at all -- witness rich celebrities shoplifting, for instance.
People can also be compromised and blackmailed in to committing crimes, or otherwise feel desperate and at the end of their ropes, so they'll try anything.
That's to say that such laws shouldn't be made, but I am skeptical that they'll be enough.
None of that makes any kind of sense. You can't risk it when the equilibrium is that bad for you. Remember, to make any appreciable dent in an election outcome, you need to convince thousands of people to vote for you, and not turn you in, despite the 100k reward. There is zero chance of that ever succeeding.
That's what we have investigative agencies for. We already offer these kinds of monetary incentives to criminals all the time. We also offer them for reporting tax evasion. Seems to work fine there.
You don’t even need that. In many systems, you can vote multiple times, and only your most recent vote counts. As a buyer you have no way of knowing if your agent didn’t vote after they photographed them self voting for the party you picked.
That's definitely a good improvement over a single final commit, but there has to be some cut-off time and it would be perfectly possible to control the voter's ability to make last moment corrections. Buy/coerce the vote close to the deadline, then keep them occupied until it's over.
A countermeasure might be an undisclosed deadline lottery: a guaranteed voting window until some time t, then allow corrections until an individually randomized cutoff moment t+x, with a sufficiently big range for x (up to two days, perhaps?). Don't provide feedback wether a correction went through or not to make it even more opaque to a possible buyer.
But that only happens when for some contrived, malicious reason you felt pressure to cast a vote that did not reflect your real opinion. The random deadline extension weakens that attack.
People free from interference would simply make their first vote their real one, cast safely before the earliest possible deadline.
> but there has to be some cut-off time and it would be perfectly possible to control the voter's ability to make last moment corrections
There is. In the Estionial election it is something like the day before election day. But even if there wasn’t if you need to spend the time and effort to coerce your agent for anything longer then few hours, buying enough votes to sway any election is going to be unfeasible.
It's not a problem because there is too much "friction". Vote buying is already not impossible but way too hard to establish itself. When it becomes gradually easier it still won't be a problem, because it is still not yet established. So you allow even more changes that make it easier, because it's not a problem yet. Call it a slippery slope argument all you like, but there is a crazy amount of inertia in the absence of vote buying that is protecting democracy now, but that will turn against us once it is overcome. When barriers are lowered so far that the inertia is overcome, the same inertia will make it incredibly hard to get rid of vote buying again. Keeping honest people honest is orders of magnitude easier than making them if they are not. I would not want to risk it without a promises of truly significant gains and I just don't see those with e-voting.
But vote buying is not even the problem I would focus on. Much more pressing is the form of soft coercion that is enabled by allowing voting in what I would call "unchecked privacy": imagine you are part of a group where everybody assumes that all would vote the same. There is a documented tendency (proudly showing off your ballot on Twitter) to scrap vote secrecy in favor of virtue signaling for "the cause", whatever cause that might be. As soon as there is a group with supposedly aligned opinions, the true believers will tend to erode secrecy and establish an expectation that the others follow. Maybe your spouse won't beat you, maybe your friends won't shun you for insisting on voting in secret, but the easy path is to just go with the flow and play along. "What difference does a single vote make?" Optional secrecy is a serious weakness to the democratic process.
All of those things are possible now, yet they don't happen. I see no reason to think electronic voting would make it more likely. And in fact, we have a test case: Estonia. Is there any evidence of any of this happening there?
I asked for evidence of a specific phenomenon. The specific phenomenon I requested evidence of would be no easier to have evidence for in the electronic or paper case.
It takes much less energy and time to modify something electronically. Once physical items are required to be collected, edited or destroyed then evidence becomes significantly more durable.
we have evidence of widespread irregularities in casting votes via mail for people abroad in italian elections (there are a ton of italian citizens abroad, due to ius sanguinis rules).
That entails basically going to people, buying a voting slip and casting it on their behalf. Or better, buying packs of slips from officials. For e-voting it would be the same.
Sure, you can increase jail time and reward revealing it, but that is not a panacea, as the existence of _any criminal activity_ proves.
> Not necessarily. It is possible to have verifiability and receipt freeness
I know these methods, but they were not used in OPs suggestion. They fix this issue and introduce others.
> Clearly you need to do more research before making such sweeping claims.
On the contrary, I'm willing to double down on my claim. I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.
Electronic/Online voting is like catnip for programmers. We can consistently overcomplicate things and create these horribly complex constructs because we're sure there must be a solution. After all software is eating the world. Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.
> I know these methods, but they were not used in OPs suggestion.
You knew it but didn’t mention it as an obvious neutralizer of your objection, in the context of a discussion about possibility (“you could”)? I doubt that.
> I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.
There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?
> Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.
This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”
> You knew it but didn’t mention it as an obvious neutralizer of your objection, in the context of a discussion about possibility (“you could”)? I doubt that.
This is baseless and useless. I've discussed this online in several situations, including on hacker news. If you really want to check this feel free to see my comment history here and on reddit.
> There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?
There are plenty of systems in the literature, even ones I am happy to stipulate right now are 100% cryptographically sound for the purpose of the discussion. The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election. Once you do that you no longer have a functioning democracy.
> This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”
eCommerce and eBanking have very different needs, so the query/replace doesn't work. In banking you both accept that some people in the banks have access to your data and that transactions can be reverted. None of that applies to voting where the process has to at the same time avoid leaking who you're voting for, provide accurate counts, and be trusted by the average citizen. Those properties are simply not possible without a traditional paper count done by adversaries.
> This is baseless and useless. I've discussed this online in several situations, including on hacker news. If you really want to check this feel free to see my comment history here and on reddit.
Feel free to point out where you previously discussed receipt freeness. And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?
> The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election.
You're going to have to be more specific about what you mean.
> the process has to at the same time avoid leaking who you're voting for
This is called receipt freeness, which we just discussed.
> provide accurate counts
This is called universal verifiability, which is also perfectly attainable by e-voting systems.
> be trusted by the average citizen
You've provided no reason to think that citizens will never trust e-voting systems. The very article of this thread provides a counterexample, and it's not even the most secure.
> Those properties are simply not possible
This is just flat-out wrong. It is perfectly possible to have all of the above properties simultaneously.
> Feel free to point out where you previously discussed receipt freeness.
I'm not going to go around spelunking on my old comments to prove to you that your attacks on me are unfounded. Do your own homework if you care about this for some reason but this is getting extremely aggressive for no reason.
> And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?
The point of my comment was to explain that what appears to be a common solution to a problem that we'd use in any kind of electronic system breaks down other stuff in electronic voting. I wasn't about to go 10 rounds of "but you could do X and then be broken by Y". My point isn't that there aren't clever ways to engineer digital systems for electronic voting, is that however you do that you end up with something that can be attacked in horrible ways. See below for an example.
> You're going to have to be more specific about what you mean.
Since you haven't provided a voting system for me to attack I'll try with what I consider to be a very good one:
- You vote by pressing a button or touchscreen at your polling place
- A paper ballot is printed with your vote that you verify and drop into a traditional ballot box to be counted as usual
- A receipt is printed with some code that you can later use to check that your vote was counted in a cryptographically secure way
- Paper ballots are tallied locally as usual, electronic results are sent encrypted to a central server that can be later used for vote count verifications
- The electronic count and the paper count are done in parallel and both published. You expect small differences in the count (mostly from human error in the paper count) but as long as the results match up to a low difference you trust your election.
- There are no flaws in any of the crypto and all the polling officials are honest (this last part is something the paper system does not depend on)
So this seems strictly better than a paper election right? You get the electronic count just as the polls close, the safety that you can later check that your vote was counted electronically, and the double-check of the paper count to fall back on. So here's how I attack it if I'm just a skilled hacker working alone:
- Work as a tech at one of the polling places and intentionally miscalibrate touchscreens. People will register wrong results and get some stories out that strange things happened in some polling places.
- Pick polling places where a minority is heavily represented and break those machines in particular. At worst some extra coverage, at "best" the election gets skewed because those polling places start having long lines and people walk away.
- Spread some malicious code to the general population through any of the normal means (Android apps, unpatched vulnerabilities, etc). I just need to get a small number of common citizens. Have that code intercept the place where you check if your vote was counted and tell you it was not. Hopefully you'll recheck in a clean machine and be satisfied. If possible target politicians and the actual losing candidates in the election so that they are particularly worried that the election was stolen from them.
- Finally hack into the central server where you do the checks to see if your vote was counted and make checks fail randomly.
At the end of this you have seeded pretty deep distrust over the election. Depending on how skilled the hacking is it may be enough to break down the trust in your democracy. I'm not willing to take that risk. But now if you're a very well funded hacker group or a state actor you can do more:
- Hack the network providers and selectively DoS the verification server for minorities or parts of the country that voted against the winner.
- Infiltrate the supply chain of a few of the thousands of suppliers of the voting machines and plant hardware level bugs ...
> The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today. I'm willing to hope that the US case is just pure incompetence, but the attack surface is very large and we've seen that foreign state actors are extremely motivated to meddle with elections.
Whether it's incompetence or foreign attack, the damage done will be the same in both cases, so it's a terrible system to use either way.
> I'm not going to go around spelunking on my old comments to prove to you that your attacks on me are unfounded. Do your own homework if you care about this for some reason but this is getting extremely aggressive for no reason.
You're asking me to prove a negative. I merely said I doubted you knew about receipt freeness because you didn't even mention it as an obvious counterpoint to your claim, which is a reasonable conclusion. If you consider that an “extremely aggressive attack”, fine. It is easy for you to prove me wrong, you just have to point out the comment in question.
In the meantime, I'll continue to assume you either had no idea what receipt freeness was, or deliberately created the false impression that a verifiable voting system cannot be receipt free.
> I wasn't about to go 10 rounds of "but you could do X and then be broken by Y".
You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).
> So here's how I attack it if I'm just a skilled hacker working alone:
So you just assume you can achieve all of this for any e-voting system. Fantastic argument. Really convincing. You may as well have said "Here's how I would attack and infiltrate banking networks or current voting systems surreptitiously. See, we can never trust either of these!" That's just laughable.
> At the end there's a very high chance your election is now fully distrusted and the country is in chaos. Even if it doesn't work 100% of the time it only takes one or two successful events globally for people to distrust these systems, whichever they are.
Clearly wrong as evinced by Estonia's voting system, even in the face of its demonstrated security flaws.
> The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today.
...and it hasn't led to the collapse of the voting system.
> If there are no advantages why do it?
Are you asking what the advantages of e-voting are?
> The difference for eCommerce and eBanking is that under any of those attack scenarios you just go to the bank branch and sort things out, including reverting transactions.
You're assuming banks are always aware of attacks, which is just not true.
> At this point it's on you.
It's not "on me". It's been mathematically proven that a system can possess these properties simultaneously. For example, see
This seems pointless but I'll clarify the main thing in case you really haven't understood my point.
> You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).
The issues that are introduced are exactly all that attack surface that I described how to exploit. You keep insisting that the math checks out but that's not in dispute. The mathematical properties of a well designed electronic system are fine. It's the actual engineering realities of such a system that makes it massively easier to exploit. All those examples I gave and many more are now failure modes you have and didn't before.
> Are you asking what the advantages of e-voting are?
Yes. I live in a country that has heavily invested in e-government but runs very efficient paper elections. I go in on a Sunday at my convenience and get the results for the whole country 2 or 3 hours after the polls close, extremely accurate predictions maybe an hour after. I know of no advantage electronic voting would bring that would be worth the extra cost, let alone the risk and complexity. It's a (very poor) solution looking for a problem.
Say I sell my vote. The person picks a party I don’t agree with. I will simply vote for them anyway in the prelimenaries, screengrap my proof, and send to my customer.
I can do this multiple times. Each time I void my previous ballot, betraying my previous customer.
Then comes election day, then I show up in person and cast a physical ballot for the party that I favor. As a buyer, my customers have no way of knowing I didn’t void the preliminary ballot by showing up on election day.
Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.
I can't see a way of that working without breaking down somehow:
- If every time you vote you get a receipt for that vote that can be checked if it's still valid then you can send that receipt to the buyer and he can then check that your vote is still according to his purchase
- If you can only check that the receipt was registered but not if it's still valid you can't check that your vote was correctly counted because you don't know if the vote has been changed after in multiple possible ways
- If you can check that the vote actually is for candidate A at any time you can sell that access to the buyer for him to confirm
- If the only way to avoid all this is to also cast an actually secret vote on election day the buyer now just needs to make sure you don't go to the polling place. Posting spotters at the door is not too hard.
I don't see a way for you to actually be able to confirm your vote was counted and not having at the same time the ability to sell your vote in a verifiable way. Perfect verification isn't needed either. If you're selling your vote to the mob you'll have second thoughts about failing to deliver. If you make the process easier "honest" sellers will create the market.
> Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.
Most I know are actually harder because you only get the single mail-in ballot so you can't do the double or triple voting. If you can show up on the day and invalidate your mail-in then part of same can be done. Depending on how the invalidation of the mail-in is done it can be even sketchier. But I don't consider mail-in and absentee paper votes to have enough security guarantees either way. Paper ballots, in a box, counted by adversaries is the gold standard. Everything else has a high burden of proof.
Iceland doesn’t have e-voting, but they do have absentee voting. You can vote as often as you want during the absentee ballot, and your most recent will count (or none if you also show up during election day). If you need to physically be present to make sure your agent does’t show up during election day, buying enough vote to sway any election is going to be hard. I suppose if you are a part of a larger organization, you can post several spotters around every voting station. But that will increase the chance of them being spotted and spoofed by the police.
> I suppose if you are a part of a larger organization, you can post several spotters around every voting station. But that will increase the chance of them being spotted and spoofed by the police.
It's easy enough to deploy spotters without being found out. Just deploy spotters as exit pollers, they're already part of any modern election :)
Exit polls are not done everywhere, and in some countries they are even illegal. Just make soliciting around poll stations is illegal and the problem is solved.
Eliminating exit polls seems like a really bad idea. They're one of the only ways to validate an election system that doesn't depend on the system itself. When you have wild discrepancies, particularly in some precincts, you know to investigate. And it seems you'd want that particularly when you've implemented a complex electronic voting system.
And thinking about it some more the Estonian system seems perfect for vote selling. You just provide your ID card and PIN in the last day of early voting and get it back the day after the election. The buyer can vote in your name and hold your ID card to make sure you can't vote in the booth.
You might be right about the exit polls. Perhaps this can only be applied in countries that have strong independent monitors (which Estonia should have being an EU member). Regarding vote selling, I don’t know how it is in Estonia, but in Iceland voter ID is pretty lax. You can provide an ID in the form of passport, drivers license, bank issued debit cards, etc. As a buyer I have no way of knowing if I'm witholding all possible IDs from my agent since they might have several debit cards from several banks, more then one passport (through dual-citizenship), etc.
It should be noted that ID+PIN is not just for the elections: it covers all of the e-services from online health records to online banking, also including digitally signing documents in your name. So I would assume that people wouldn't trust their ID+PIN to strangers.
It should be impossible even with a court order, and I think most voting systems are set up like that. How else do you guard against the party in power, that can get all the court orders it wants?
It's entirely possible in the UK, while "court order" is probably the wrong terminology, the core meaning is still there. Ballots are numbered and the number recorded against your name. You would need access to both to work out who voted for whom.
I don't know of any reason why it could be accessed, though since parliament is sovereign "if a judge agrees" is always a safe disclaimer to add since the underlying law can be set.
Then vote for the party your intimidator picked, show them you voted for them when asked. Then simply vote again for the party you want (during election day if you are afraid they will show up unexpectedly again before election day), voiding your intimidated vote. Your intimidator will never know who you voted for during election day (unless they spied on you, but you also have that problem for non-digital votes)
This is actually what is done, you can download a phone app for iOS or Android, where you can scan a QR code you see when you vote to verify your vote. A vote can be checked after i-voting for up to three times during half an hour.
They've done this, you can download a phone app for iOS or Android, where you can scan a QR code you see when you vote to verify your vote. A vote can be checked after i-voting for up to three times during half an hour.
Typically, the way this is done is through a smartcard, secured and provided by state officials. A vote has to be signed by the key that never leaves this device. So even if you computer is infected by malware down to its USB firmware, it won't be able to fake many things. Just prevent you from voting.
My main criticism is that as it is it could still feed the card with the wrong vote to sign. The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.
However it requires trust in the officials to do their jobs correctly and to not tamper the tally.
I, personally, love a lot of e-Estonia initiatives, but consider electronic voting to be a bad idea, unless you are ready to get rid of the anonymity of the vote (you can have secure non-anonymous remote voting)
> a smartcard, secured and provided by state officials [..] The (state-provided) USB reader [..]
are not immune to attack either. Unless you go to the extraordinary lengths of making your own hardware in a facility you secure and keep secured for the duration of your democracy, there is no such thing as a 'secure device'. Not when the prize is something so hugely lucrative and advantageous as control over an entire country.
All assuming you trust your government. With opposition parties monitoring vote counts, that's easy. But what about when they have to look for dopant-level chip defects?
In Washington state, all voting is via paper ballots mailed or dropped off at a voting location. You sign them. People end up having different ballots because your ballot is customized for the district you live in (unique city, school district, county, state combinations is a reasonable size). They verify your signature. You can track if you ballot was received (it's inside an inner envelope) and if your signature was confirmed or not.
This feels safe, and as they have the original paper, they can revote - but they have all the ones in the district in a box somehow.
I lost any respect I had for WA after I-1639. The ballot initiative that never actually got enough signatures, but Michael Bloomberg's money ensured it got on the ballot anyways. You're making felons out of everyday people now. Who cares how great your voting is when you can't even follow the US Constitution? It's a joke, it's all just a sick joke now.
Who create the security tokens that banks use? I could see few things more lucrative and advantageous than a perfect backdoor into that hardware, especially since here in Sweden you can create electronic government ID from said token which can be used for everything except voting.
It is not without reason that most common fraud here in Sweden (around 80%) is someone calling under false pretense asking a victim to use the hardware token in order for the fraudsters to create a new electronic id which is then used to empty the bank account, create credit accounts, and so on. So far those security tokens has had a perfect track record from a hardware perspective, as much good that does. Maybe that is a bomb waiting to explode but it is hard to see a stronger incentives for criminals than what already exist.
When people here discuss electronic voting, security of the hardware tokens is not usually brought up. It is rather all the other elements which makes it a bad choice. There would be no physical ballots that can be verified, questionable anonymity, and a loss of a controlled voting environment. All the common solutions to those problems usually results in the conclusion that it then easier to just keep the current system as is.
The thing is that bank security is at least theoretically possible. Banks and/or governments act as a central sources of trust in such systems and trust for can be derived from this source. I.e. a bank could build the hardware tokens from scratch themselves. With an election the trust model is inverted. I'm not sure there is any practical way to allow the trust sources (every voter) to audit the hardware tokens.
Electronic votes can be secured cryptographically. Votes can be counted per precinct instead of centrally, and then summed. The security factors of paper voting can be replicated electronically.
"The authority might just lie about the count or throw away or counterfeit votes, or coerce voters other vote a certain way" is not solved by paper voting either, as seen in Russia and many other places.
> My main criticism is that as it is it could still feed the card with the wrong vote to sign.
In other words: It doesn't help at all against malware on the computer.
> The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
In other words: If the USB firmware is infected, it's still not secure.
> With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.
So, if you are using secure devices ... then you can have secure elections on insecure devices? In this scenario you aren't actually using the insecure device, other than for establishing a connection to the internet.
Or rather, as you described it, it also functions as the input device--but that is a security problem because it can be used to violate the secrecy of the vote, so it's not actually secure that way either. The only way to make it secure (sort-of) is to not use the insecure device.
> However it requires trust in the officials to do their jobs correctly and to not tamper the tally.
And that is the reason why electronic voting is not an option. Elections have to be able to remove a government from power against its will. An election process that depends on the integrity and honesty of the government that you want to remove from power is inherently broken. An election process that only works when there is no conflict is not a useful election process.
Considering Estonia's history, paper voting isn't exactly amazing either. The Soviet era showed that election fraud happens anyway. The problem with paper voting is that mistakes in counting happen very often. During the election that just happened in Estonia officials wrote the candidate number into the box that said how many votes they got.[1]
In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.[2]
If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?
Paper voting is hundred times more secure than electronic. With paper voting observers can see all the ballots and verify the results; these results are usually published so if you have observers at all polling stations you can verify that all votes have been counted correctly.
With electronic voting nothing stops sysadmin from doing UPDATE votes SET vote = 'Good Candidate' WHERE vote = 'Bad Candidate'.
Do you mean the public database of everyone's public keys? Tampering with that would get noticed really fast and anything like that would greatly erode the trust in the system and wreak havoc on the economy since most stuff is signed digitally.
The signatures are generated by government-issued cards. Doesn't it mean that it can issue any number of new cards and generate signatures using them?
Also, they cannot store signatures with votes because that would disclose voter's identity and their choice. They have to store signatures separately from the votes and it means that the votes can be freely modified.
Here is what Wikipedia says [1]:
> This criticism was underscored in May 2014 when a team of International computer security experts released the results of their examination of the system, claiming they could be able to breach the system, change votes and vote totals, and erase any evidence of their actions if they could install malware on the election servers.
Of course, the government can install enything on its servers.
Here is a quote from a report on vulnerabilities [2]:
> The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.
> ...
> The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.
Read: the government can "draw" any outcome they would like. Maybe they already did it, who knows.
I doubt it was a mistake. Missing ballots, found ballots, all part of the games the operatives play. We don't live in a democratic society, with live in an illusion where we believe any comfortable lies we prefer to believe. That is America in the 21st century.
I can't imagine how Trump won Wisconsin and Michigan except that maybe Voter ID laws made it harder to commit the necessary fraud. Even still, the recounts were only stopped when massive fraud was detected and had to be quietly swept under the rug lest the entire populace find out what a sham our elections truly are.
Also, the whole Russia thing is a lie. It's easy to see that it's a lie--no actual evidence has ever been presented, just innuendo repeated over and over again. That's how propaganda works, you repeat it over and over until people stop questioning where the "facts" came from. The US badly needs to break the backs of the propagandists. We need real journalism again, not this 24/7 Pravda bullshit.
> Considering Estonia's history, paper voting isn't exactly amazing either.
So, could you point to any one election in Estonia's history where electronic voting would have been any better?
> The Soviet era showed that election fraud happens anyway.
That's just bullshit. Just because a solution for a problem is not perfect, does not mean it's useless and that every non-perfect approach is equally bad.
> The problem with paper voting is that mistakes in counting happen very often.
Which is irrelevant to the discussion of security. Mistakes are a very different thing from intentional manipulation, both in how you can prevent them and in the effects. In particular, mistakes tend to average out, which is why they usually don't matter for elections as long as they happen at a reasonably low rate.
> In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.
... which is why we should employ a voting process where only the election officials have any insight into what is going on, so we minimize the chance that a citizen discovers any errors?
> If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?
... and how would an election process that is completely opaque to the public possibly help with any of that?
>My main criticism is that as it is it could still feed the card with the wrong vote to sign. The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
You can check who you cast your vote for through online voting. You can do it 3 times for half an hour after you voting. You cast your vote on a PC and at the end the voting software shows you a QR code. You can then use an app on your phone provided by the government to check who your vote was counted for.
You can vote multiple times though and the previous votes are discarded. You can even show up on election day at the end and it well override your online vote.
I don't know what Estonia does, but there are ways to publish the votes in a secure way
that prevents anyone from decrypting a single vote, but lets anyone verify their vote was correctly counted using their own secret key.
httpp://news.mit.edu/2009/rivest-voting
Of course you need monitors
from all interested parties to prevent ballot stuffing, but that's true in every election. It's up to monitors to read the voter list and verify that (probabilistically) there are no/few fake voters on it.
According to this report [1], they published the source code and provided a video recording of installing the software (sounds like a joke):
> Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection.
Really, it strikes me how luddite people are when it comes to voting. In every other case, people welcome technology making stuff easier. But in this area, all I hear is complaints how far the voting booth is, how you need ID, how there is no national holiday and so on. What about absentee ballots? How do you make sure they were mailed by the right person?
Listen, if an attacker can subvert 30% of the votes, don’t you think they would also be able to subvert 30% of bank accounts which would use the same security? Banks let use an app to withdraw $100,000. Why not for voting which is far less valuable?
Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way. If you are concerned about the vote being illegitimate then have everyone submit an encrypted video of themselves saying the vote along with the vote, and the app recognizes what is said, displays it on the screen and the person clicks OK.
EDIT: To the automatic downvoters - why do you trust your bank’s app to manage a lot of money but not an app for voting?
Voting requires anonymity, so you lose a lot of the security because of that.
For a bank, you have a PIN that is tied to your identity. You may also have a second factor that is tied to your identity. The bank can use this to positively identify that you are the one making the transaction, and tie it back to you.
You can also verify the transactions after the fact because it isn't anonymous. You can log into your account and check to make sure what the bank thinks happened actually happened. And if it didn't happen the way you say, you can contest it.
Also, the risk is actually lower because the bank assumes liability. If a false transaction is made you can protest it and if you prove that it wasn't you who made the transaction, you get your money back. With voting, you can't get your vote back.
> What about absentee ballots? How do you make sure they were mailed by the right person?
You have to sign the outer envelope, which can be verified (and is not anonymous).
> Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way.
There are a lot of controls in place that prevent that. Number one, the ballot box is never attended by just one person. Number two, the count of ballots has to match the number of people whose identity were verified and voted, and that verification is done by different people.
To stuff the ballot box, you'd have to buy off every poll worker in that precinct, get the list of everyone who didn't vote, pretend to vote for them, and make sure your ballot counts lined up. Since each precinct only serves a few hundred people at most, you'd at best get to put maybe 300-500 ballots in the box. You'd have to do that at every precinct.
You can cryptographically sign things with your private key on your device also, which is put there when you register to vote. Either way, someone can theoretically forge your signature.
You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.
All the matching of counts etc. can be done electronically too.
> You can cryptographically sign things with your private key on your device
Unless your device is compromised.
> Either way, someone can theoretically forge your signature.
They could forge your signature, but to be effective, they need to forge thousands of signatures.
> You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.
No, the ballots all have unique numbers and the list of numbers is stored separately. You'd have to buy off all the poll workers to pull that off, and you'd have to reconstruct all the records to match your fake ballots.
> All the matching of counts etc. can be done electronically too.
Sure it can be, but not securely, and security (and integrity) is the number one goal of a voting system. Convenience and speed are secondary.
Let's put it this way -- the State of California only does paper ballots. No voting machines are allowed in the most populous state. Why? Because they engaged many security consultants and couldn't figure out a way to vote electronically that was safer than paper.
It takes over a month to certify a California election, because every ballot is cross checked with the precinct records, they randomly recount various boxes of ballots, they check that the outcomes are in line with the polling data, and they verify every single signature on every absentee envelope.
They pull the physical signature card from when you registered and compare them by hand. Then they have a second person do it another room.
I think you're too enamored with technology to see that in this case it isn't being luddites about it that is the problem -- it's that very smart people have tried to solve this for a long time and come up with nothing.
It may be time to admit that the hundreds of security professionals with thousands of years of combined experience may just know more than you about election security.
I trust the bank because it has zero interest in subverting it’s own security. A government that doesn’t want to be removed from power has both motive and ability to do so. Paper Ballots allow Opposition Parties to count votes, an electronic voting system (wich would require the production of custom hardware in a government–owned facility to be remotely secure) would require the opposition to check for dopant-level chip defects.
You're being facetious and you know it. It wasn't paper ballots that enabled the communists to hold on to power, it's that they didn't have any opposition, and their elections wouldn't be recognized as fair and valid by any modern standard.
Half-facetious. If a government really wants to hold on to power by force, they can do it one way or another - elections end up being theatre in that case anyways.
Except in Soviet Union terrorizing all the opposition parties/majority of voters was long, costly and brutal process. Online voting makes the whole thing cheap, easy, and undetectable.
Vote results are always really close to pre-election poll results. You can't really manipulate the results too much unless you somehow prohibit polling.
In online banking the bank knows who you are. In this case that would be the government, this is not and should not be allowed.
If such a system could be made that it somehow was able to verify that you are actually the individual registered to vote, but also anonymous so no-one could possibly trace what you voted for. Then you need to be able to setup a secure and verified connection (but still anonymous) but unlike your bank account, isn't the target of multi-international efforts to subvert democracy to gain political favour. Deciding what compatible devices and technology should be used and to ensure that all of the voting population has access to it is another challenge.
Another thing required is for there to be a presence of the candidates or representatives on behalf of them that can monitor the voting process and call out any foul play, which would require people with the right expertise to examine the system so they know it properly counts the votes. Which means a open-source system is required, but the exact details of how it verifies voters will also be exposed.
And what happens to the votes, are they not stored at all or stored temporarily? How do you do a recount if they are not stored and if they are, how do you make sure that data is destroyed completely once the result has been declared?
These are all questions that nobody seems to have a practical answer to.
One thing the Estonian system does is that you can verify your vote on a mobile device by scanning a qr code that you see when you cast the digital vote. A vote can be checked after i-voting for up to three times during half an hour.
I imagine if any mismatch was detected the country would shut off i-voting immediately.
As if democracies aren't buying votes already en masse?! Lobbying is just that, on a scale that actually matters more (directly at policy decision making point).
You can vote multiple times through online voting. This means that buying votes like this wouldn't be very effective. Online voting also ends a few days before election day at which point a person can go and vote in person. The vote in person counts over the online vote.
This is one of the reasons why Netherland has banned voting machines completely. We're back to paper and pencil because it's easy to verify that all votes have been counted.
Why are you searching attackers outside? I don't know how it works in other countries, but in Russia the elections are always "hacked" by the government. You don't need any special resources or a backdoor, you just need a loyal sysadmin.
It's not about being safe, it's about being provably shareable. When the option of privately sharing your vote is there, it doesn't take long before a malicious candidate forces you to do it or face consequences.
I think you have to reliably prove that it's your ballot and that it wasn't tampered with after the photo. Halter Voters would sometimes include a specific marking on the ballot that confirmed it was a succesfully bought vote so people could be personally rewarded accordingly.
Think of what this means for voter representation. You just made it much easier for people with computer access to vote, compared to those without who still must trek to the polling place. I doubt the demographics represented in this vote were the same as the last comparable one.
I think you have it the wrong way around. This actually improves voter representation. It's now a lot easier for people with disabilities, the elderly, etc to cast a vote — they don't have to organize transport, they can just vote from home. Getting people to actually go to the polling stations and cast a vote is something that all democracies struggle with to a certain extent, this helps alleviate that issue.
90% of Estonian households have access to the internet. [1] The percent is still increasing. On top of that, it's possible to request the government to send an official to your home if you wish to cast a paper vote from home.
(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's interesting.)
It might be prudent to point out that Estonia is one of the better e-voting systems. Voters can override their e-vote with a regular one on election day. However that just means that other systems are mostly even worse.
Seems like e-voting is used as a way to transition between a democracy to an hidden totalitarianism.
Citizens are lead to believe the voting system still works as usual but in the fact the results are manipulated to keep the same person or group of people in power. Which can probably last for a while. Meanwhile the person/group in power can take control of all parts of the state until it slowly fades into an obvious dictature.
This works because most people don't understand technology well enough to understand that electronic voting is very far from secure.
Newver understood the fascination with e-votes. E-votes are great when you vote for reality shows but for a normal election I think walking to the local booth and vote is a much better idea because it is hackers proof and also only citizens with enough motivation will vote.
People want convenience. Citizens would like to vote online, and are largely ignorant of the technical challenges that make it impossible to secure, at least on your average everyday Internet connected consumer device.
Its the job of us techies to keep shouting from the rooftops how all these implementations of online voting are deeply flawed and exploitable the same way climatologists have to keep screaming from the rooftops about the damage rising co2 is causing to our biosphere.
That is worse. It means people on welfare might be willing to vote more and hence peters would vote to steal from paul. Probably an argument that only those who pay certain amount of tax alone should be able to vote.
Online voting seems like such a bad idea to me. If people want convenience couldn't voting by post be a good compromise? Sure you still have to bring your letter to the post office but that's a more mild inconvenience and it seems more secure than e or i voting.
Usually online voting supporters say that it would increase voter turnout. It seems that it hasn't happen in Estonia: 64.2% in 2015 and 63.7% in 2019 [1][2].
Also, I am a bit worried that online voting might give young tech-savvy people an advantage over old and poor people who don't have access to computers or mobile phones. Has there been studies about demographies in these elections?
Currently older people vote in much larger numbers than younger people, so I don't see how that's a major concern. Clearly the current setup advantages the elderly in practice.
All these "e-voting can never work" comments just scream ludditism. Estonia has already demonstrated that it works, we have online banking and cryptocurrencies worth billions of dollars in market cap, and people want to say it's not possible. Yeah, ok. Feel free to express your views, but don't pretend to represent the software engineering community.
Nobody said it's impossible. It's just insecure, unverifiable, and non-anonymous.
Unless you inspect every voting machine, smart-card reader, internet connection, encryption algorithm, etc. for every election completely, you can potentially manipule millions of votes from your home from the other side of the planet. Or on a smaller scale, change all votes of one or multiple voting machines.
Paper ballots aren't secure either, who's to guarantee that your paper ballot was recorded correctly? In many countries paper ballots have been tampered with, altering elections (Venezuela, South Korea). Remember Bush vs. Gore in 2000? I don't understand why people are so trusting of paper ballots, I would much prefer an e-voting system where my vote can be verified afterwards.
You don't need to inspect every internet connection, there's HTTPS.
The key is that one should be able to verify one's vote to ensure that it was properly recorded. If everyone can verify their own vote, then they can verify that the voting wasn't hacked. With paper voting, it is impossible to verify your own vote - it is equivalent to tossing it into a black box.
One might say "then people can sell votes!", but as Estonia has done, you can have it so that one can vote multiple times. And of course there should be extraordinarily stiff penalties on anyone buying/selling votes (I'd say minimum $30k or 20% of one's total wealth fine + prison time).
Needing paper ballots is holding back democracy. E-voting would revolutionize democracy and for the first time in history allow a true direct democracy at scale. Of course e-voting cannot be conducted by emailing votes or some other insecure nonsense like that, but it is ludditism to suggest that it cannot be achieved, which many seem to suggest. This kind of thinking is literally holding society back.
> Who's to guarantee that your paper ballot was recorded correctly?
Each reporting station must accept observers and counters authorised by each of the interested parties with local representation. It's a big deal when this process is compromised and always makes the news. And these counters and observes are generally your neighbours from the local community so there is some amount of trust already. Further the section count is acknowledged back from the central counter.
HTTPS doesn't have the proper guarantees for this application.
Changing votes doesn't have the proper guarantees that people won't be buying or extorting votes. Not that it matters, because that's not really the biggest concern with evoting.
Penalties also don't matter against a malicious state actor for any abuse. As an example, Chinese spies go after the relatives in China of US tech employees to force cooperation. A state actor can stack the deck without anybody to prosecute even if caught.
Online banking and cryptocurrencies are not equivalent technologies. Just because you can solve those problems with software doesn't mean you can solve every problem in the world with software.
Yes they are not equivalent, my point is that if we can handle money online, there's no reason that voting can't. Bitcoin's market cap is something like $80b, yet nobody has ever hacked it.
Oh well as an Estonian that topic is staring to become really tiring especially because we just passed to voting season.
Bottom line is:
Conservatives / nationalists are preferred by older folks and these parties lobby against anything that can give votes to liberals. They also know that youngster might skip the voting after all if we would go back to paper voting all together. Also there will be major reputation loss. But since conservatives are against EU, open-trading and anything outside our teeny-tiny pond they don't give a flying fuck about that.
I'm curious about what we can do with digital voting, in terms of evolving democracy. If, hypothetically, all mechanical issues are solved...
We could have more direct democracy, with high-frequency referendums, reversible proxies, publicly submitted or endorsed bills. The democracies we have were designed around mechanical limitations, so it stands to reason that (at least some) democracies would change when those limits go away.
That said... there seems to be a dearth of ideas, at least few seemingly useful ones that I ever hear.
If you were making a new constitution for a village or city, what could be done with electronic voting and how does it make it better?
Essentially, Estonia gives 44% influence of their country to a system that cannot be verified to have almost any relation to what people actually have voted for. The people have will just look at the results and have to think "well, I hope weren't hacked this time" and move on.
>The people have will just look at the results and have to think "well, I hope weren't hacked this time" and move on.
Well, no they the main proponents of e-voting figured a long time ago that it's easier to eliminate those concerns using propaganda. For example if you are against e-voting media will brand you as a backwards russkie who hates Estonia.
I'm not a supporter of i-voting, but it is true that most of the "concerns" given are pure FUD/bullshit. Studies that consider guest WiFi password being vital information, studies that collate e-voting and i-voting and a lot of other shit I can't recall at the moment.
But the very basic problems are not talked about, namely:
* Votes should be counted by independent parties while preserving anonymity
* Certificate issuance should be actually monitored by CT logs, every vote that is not in a CT log is dismissed and logged
* Voting code should be actually readable and audited (only opsec has been audited so far)
There are a few other problems but I've forgotten them for the time being. These are the problems we should be talking about, not some bogus like, "Omg how can ten grannies vote quickly online".
Online voting in elections has been around since 2005 in Estonia. I think you're making it seem worse than it is. On the other hand, I wish Estonia did not have online voting as well. There are some attack vectors you can't defend against.
That's some nice Russian propaganda you have there. With some pretty serious factual mistakes. It claims that non-citizens can't vote in local government elections, but this is false. Citizenship isn't a requirement to vote in local elections.
> former USSR citizens who lived in Latvia and Estonia and were deprived of the right to receive its citizenship after the collapse of the USSR
What right? Merely living in Estonia doesn't give you any right to citizenship. What's more, it's not that difficult to get citizenship. The main obstacle is learning the local language, as that's part of the test to gain citizenship. All these non-citizens refuse to do so. They take pride in being Russian and speaking Russian. They are openly talking about how great Russia is and how they are waiting for Russia to unite them with the motherland.
Estonia gained independence in 1918. Just because USSR occupied us [1] and transported a bunch of people here doesn't give them any rights to citizenship. The Russian population in Estonia grew from about 23,000 people in 1945 to 475,000 in 1991. [2] Now making up for a whopping 30% of the whole population! This is due to systematic transporation of people as part of Russification [3] where the Russians attempt to eradicate native cultures.
After the collapse of USSR it was possible for them to go back to Russia and/or get a Russian citizenship. Some did that, but all of these non-citizens still left are people who decided that life with fewer rights than citizens in Estonia is better than becoming a Russian citizen and living in Russia.
Certainly and nobody is being forced to learn languages in Estonia, as being an Estonian citizen isn't a requirement to live in Estonia. What's more, citizenships often come with language requirements when we're talking naturalization. Indeed you need to speak Russian to get a Russian citizenship via naturalization. [1]
I understand the cost appeal of such a voting system but it's pretty low security for an election. I wouldn't even worry about foreign actors as much as I would worry about domestic actors controlling the digital ballot box by fucking with the online voting system.
207 comments
[ 1.8 ms ] story [ 204 ms ] threadThis would be a vast improvement over our current representative democracy model since we'd be able to hold politicians accountable more easily, lobbyists would be less influential and we could put our voting power behind domain experts for issues of importance.
The German Pirate Party tried liquid democracy, and the result was similar to what's going in Wikipedia: There's a small set of people with more time on their hands than it good for them or others, and it doesn't take long for them to take over.
She was taking about the FCS and People like Guido Fawkes.
Oh "Yahoos" refers to Jonathon Swifts Yahoos not any one employed by Yahoo
It's amazing how short-sighted people are.
I also think this is one thing that also gets more young people to vote. They are familiar with technology and so used to doing everything online. For example I would have not voted for the last couple of elections if digital voting would not have been available.
https://media.ccc.de/v/31c3_-_6344_-_en_-_saal_1_-_201412281... (starts at 20:26)
They failed on quite some points, I cannot believe they fixed all issues.
TL;DR: It's not that good.
[1] https://edri.org/estonian-eid-cryptography-mess-750000-cards...
If I wanted to see paper ballots, how is that different from wanting to see electronic ballots? I'm not confident that I could successfully petition Government for paper ballots just as much as I could sue a given contractor for same electronic records.
Electronic voting always requires trust in the administrators.
This is not allowed in many jurisdictions. You can watch the before and after part easily, though.
I have no such confidence in electronic messages. Unless they're plaintext.
The characteristics of paper elections are well understood and can be shown to be sound very easily to any common citizen. The massive attack surface of electronic elections is poorly understood even by technical people. It's a massive amount of complexity and expense for exactly zero gain.
Historically, vote buying in the UK and the US used to be rife until it was cracked down upon (which came after it was made illegal). Once that happened it completely disappeared.
For voters to sell their votes, somebody needs to advertise that they are willing to buy their votes. That advertisement makes them easy to detect, track down and prosecute.
Vote buying doesn't worry me in this system but hacks certainly do. It gives the impression of being a very insecure system.
That isn't necessary to prevent vote buying. Vote buying is easy to detect because advertising in secret is impossible. All that's required is the political will to look for people wanting to buy votes and come down hard on them when they're detected.
Moreover, if you do do away with the ability to track then you open up the electoral system to other forms of abuse that can't be trivially eliminated with police and stiff sentences.
>it becomes totally possible to track you did the vote, give it to the guy who has promised to pay you, forgive your debts, the debts of your son, not beat you up
If I were to define "secretive electoral fraud that could never possibly scale" I would define it as "I promise not to beat you up if you vote for me".
How big is Estonia?
Do you think every election ever held that can be worth money and power is the size of the U.S National Election?
As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.
I mean definitely making it not worthwhile to buy votes because you will not be able to tell if you got what you paid for seems a more foolproof strategy than make it possible for people to determine what they paid for but threaten to throw them in prison if they do.
on edit: corrected second use of word money to power.
Are you saying that it's small enough that you can sway the election by threatening to beat up every voter?
That's a brave claim.
>As far as the political will to come down on people for vote buying or intimidation etc. I'm sure that making things illegal when there is a profit to be made at doing it has always succeeded in driving that illegal thing out of existence without any untoward effect on society whatsoever.
there is ZERO profit to be made in vote buying if you are thrown in prison after purchasing your 9th vote. You'd have to be enormously stupid to even try.
that's why vote buying doesn't exist. that's why it's not like drugs. It's not because you "can't tell people" who you voted for. It's because it's trivial to detect, easy to crack down on and there's nothing to be gained by risking it. The only time when there was something to be gained by doing it, it was because it was COMPLETELY LEGAL.
Let me repeat that: the only time in history it was ever a problem, it was because it was LEGAL.
I want proof that my vote counted because that helps protect against the kind of threats which DON'T disappear just because they're made illegal. I don't need people like you telling me that I'm not responsible enough to get proof because I might sell it.
>That's a brave claim.
No, generally the way it works is letting the word get out that if people vote for X you will come kick their ass later. For example if go beat up vocal supporters of X before the election and shout we're going to kill you if you vote for X, we know who votes for who because our hackers can see it online fools. Then people might be, oh I don't want anyone coming by my house and kicking my ass after X wins. So I will either not vote, or I will vote for Y so I don't get my ass kicked or even killed, sob.
If we think you voted for X and we come by your house you better be able to convince us you voted for Y! That actually scales pretty good because you only have to publicly hurt a few people before the election, and then hurt a few people after the election if X actually loses so the next election people will be well I better vote for Y and prove I did it. And people now have to actually vote for Y and show they did.
For example, take the following paper into consideration https://www.aisre.it/images/old_papers/MafiaViolence_Oli&Sbe... and then think, huh what would it be like if they could tell who voted for whom?
I mean the thing you're saying about the only time people ever bought votes was when it was completely legal, maybe that was true - was it also possible to prove who you voted for? I mean I don't know what you are actually referencing with your completely legal vote buying line but the implication that people would not buy votes to get power seems if it were illegal to do so seems incredibly silly given all the other illegal things people do to get power.
Not necessarily. See https://news.ycombinator.com/item?id=19355603
Postal voting should be restricted to the certifiably homebound, if it's open to everyone the opportunity for abuse will be taken.
Vote buying could still re-emerge but it can only flourish in an environment where you can do it openly with impunity - i.e. it's legalized or the cops for some reason think they can't touch you.
Your first link doesn't appear to be about vote buying (looks like low level postal fraud which is something else), the second is only about allegations (and again, postal fraud) and the third link looks like a 404 to me. I would be surprised if anybody's seriously attempted vote buying in the UK in the last 70 years.
By contrast, I do think high level integrity of a vote is something we should be constantly vigilant towards. Was your vote counted? Was it for whom you wanted it to be? Integrity and validation are areas where e-voting could pull far ahead of traditional paper voting. As a nice thing you'd also have instantaneous and 100% accurate results instead of this silly 'Let's have the supreme court decide who won.' type affair.
Of course that requires having the opportunity to vote again, so the solution won't deter anyone determined enough.
With paper ballots that problem exists too when you can authorize another citizen to vote on your behalf (this tends to be limited to one or two extra votes per person).
How does this help you? If some one can coerce you once, they can coerce you again (and coerce you in showing when you voted last). Your assumption seems to be that the person forcing one does not understand the system.
Again, this is no different from using another citizen's mandate to vote for them, and it doesn't scale.
Of course there are plenty of other problems with e-voting that remain unaddressed.
To further inculcate the importance of the matter, taking pictures is usually prohibited inside the polling station.
Just to avoid people collating together all e-voting (voting machines and similar) with the tech that Estonia uses (they call it i-voting for that reason), could the title be changed from "e-voting" to "i-voting"?
Edit: actually, just using the word 'online' seems to make the distinction more clearly.
I'm sure this cannot be subverted by an attacker with the resources of USA/China/India/.., or with access to the supply chain from the chip fab onward (don't forget about malware hidden in USB cables!), or or,...
And you'd have to be dead sure, because, unlike with physical votes, there will be few-to-none signs of subversion. You can vote physically, but what do a few physical votes matter when the attacker can change the vote of 30, 50, 70% of the population.
And how do you change the system, when all parties promising to do so can't get enough votes?
Edit: Example of what a voting system must be resistant against: https://www.schneier.com/blog/archives/2018/03/adding_backdo...
You could make it so you can view your vote and check it was registered the way intended. If you voted A and it came out B that would be a sign.
It's also important to realize that the mere suspicion of other people selling their votes is enough to undermine confidence in the system.
And confidence in the system is pretty much the only thing you have to optimize for.
But that is still pointless cause the person you sold your vote can be physically next to you, or you can film yourself voting.
Online voting is unsafe, and should only be used if any other option is unfeasible.
There are no circumstances where online political voting should be used. Ever.
If you get 10 years in prison for trying to buy votes, and the government offers a standing reward of say, $100,000 for evidence that leads to a conviction, all of the sudden you have to pay substantially more than $100k/vote, which means that it's completely impractical to engage in.
Politicians also tend to do all sorts of crazy, risky and/or illegal things to get elected or for personal profit. Nixon and Trump spring readily to mind.
If the reward is large enough, someone will risk it. Sometimes the reward doesn't even have to be large at all -- witness rich celebrities shoplifting, for instance.
People can also be compromised and blackmailed in to committing crimes, or otherwise feel desperate and at the end of their ropes, so they'll try anything.
That's to say that such laws shouldn't be made, but I am skeptical that they'll be enough.
A countermeasure might be an undisclosed deadline lottery: a guaranteed voting window until some time t, then allow corrections until an individually randomized cutoff moment t+x, with a sufficiently big range for x (up to two days, perhaps?). Don't provide feedback wether a correction went through or not to make it even more opaque to a possible buyer.
People free from interference would simply make their first vote their real one, cast safely before the earliest possible deadline.
There is. In the Estionial election it is something like the day before election day. But even if there wasn’t if you need to spend the time and effort to coerce your agent for anything longer then few hours, buying enough votes to sway any election is going to be unfeasible.
It's not a problem because there is too much "friction". Vote buying is already not impossible but way too hard to establish itself. When it becomes gradually easier it still won't be a problem, because it is still not yet established. So you allow even more changes that make it easier, because it's not a problem yet. Call it a slippery slope argument all you like, but there is a crazy amount of inertia in the absence of vote buying that is protecting democracy now, but that will turn against us once it is overcome. When barriers are lowered so far that the inertia is overcome, the same inertia will make it incredibly hard to get rid of vote buying again. Keeping honest people honest is orders of magnitude easier than making them if they are not. I would not want to risk it without a promises of truly significant gains and I just don't see those with e-voting.
But vote buying is not even the problem I would focus on. Much more pressing is the form of soft coercion that is enabled by allowing voting in what I would call "unchecked privacy": imagine you are part of a group where everybody assumes that all would vote the same. There is a documented tendency (proudly showing off your ballot on Twitter) to scrap vote secrecy in favor of virtue signaling for "the cause", whatever cause that might be. As soon as there is a group with supposedly aligned opinions, the true believers will tend to erode secrecy and establish an expectation that the others follow. Maybe your spouse won't beat you, maybe your friends won't shun you for insisting on voting in secret, but the easy path is to just go with the flow and play along. "What difference does a single vote make?" Optional secrecy is a serious weakness to the democratic process.
That entails basically going to people, buying a voting slip and casting it on their behalf. Or better, buying packs of slips from officials. For e-voting it would be the same.
Sure, you can increase jail time and reward revealing it, but that is not a panacea, as the existence of _any criminal activity_ proves.
Keep in mind that you need to check the vote on a different device than what you voted on.
Not necessarily. It is possible to have verifiability and receipt freeness:
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
> The demands of voting are incredibly unsuited to digital systems and definitely to any online voting.
Clearly you need to do more research before making such sweeping claims.
I know these methods, but they were not used in OPs suggestion. They fix this issue and introduce others.
> Clearly you need to do more research before making such sweeping claims.
On the contrary, I'm willing to double down on my claim. I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.
Electronic/Online voting is like catnip for programmers. We can consistently overcomplicate things and create these horribly complex constructs because we're sure there must be a solution. After all software is eating the world. Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.
You knew it but didn’t mention it as an obvious neutralizer of your objection, in the context of a discussion about possibility (“you could”)? I doubt that.
> I'm willing to provide either a breach or a denial of service for any digital or online voting system you care to describe.
There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?
> Voting is however one of the few situations where the lack of sophistication of pen and paper works in your favor significantly.
This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”
This is baseless and useless. I've discussed this online in several situations, including on hacker news. If you really want to check this feel free to see my comment history here and on reddit.
> There are many systems in the literature. What are your credentials in this field? Are you a cryptanalyst?
There are plenty of systems in the literature, even ones I am happy to stipulate right now are 100% cryptographically sound for the purpose of the discussion. The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election. Once you do that you no longer have a functioning democracy.
> This is as myopic as saying “E-commerce and e-banking are some of the few situations where the lack of sophistication of pen and paper works in your favor significantly. The demands of e-commerce and e-banking are incredibly unsuited to digital systems and definitely to any online systems.”
eCommerce and eBanking have very different needs, so the query/replace doesn't work. In banking you both accept that some people in the banks have access to your data and that transactions can be reverted. None of that applies to voting where the process has to at the same time avoid leaking who you're voting for, provide accurate counts, and be trusted by the average citizen. Those properties are simply not possible without a traditional paper count done by adversaries.
Feel free to point out where you previously discussed receipt freeness. And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?
> The kinds of attacks you'd use against them are not to break the crypto. They're to break the usage of the system by common citizens and eliminate all trust from the election.
You're going to have to be more specific about what you mean.
> the process has to at the same time avoid leaking who you're voting for
This is called receipt freeness, which we just discussed.
> provide accurate counts
This is called universal verifiability, which is also perfectly attainable by e-voting systems.
> be trusted by the average citizen
You've provided no reason to think that citizens will never trust e-voting systems. The very article of this thread provides a counterexample, and it's not even the most secure.
> Those properties are simply not possible
This is just flat-out wrong. It is perfectly possible to have all of the above properties simultaneously.
I'm not going to go around spelunking on my old comments to prove to you that your attacks on me are unfounded. Do your own homework if you care about this for some reason but this is getting extremely aggressive for no reason.
> And if you did, then why didn't you mention it in your comment, which gives the false impression that any verifiable voting system cannot be receipt free?
The point of my comment was to explain that what appears to be a common solution to a problem that we'd use in any kind of electronic system breaks down other stuff in electronic voting. I wasn't about to go 10 rounds of "but you could do X and then be broken by Y". My point isn't that there aren't clever ways to engineer digital systems for electronic voting, is that however you do that you end up with something that can be attacked in horrible ways. See below for an example.
> You're going to have to be more specific about what you mean.
Since you haven't provided a voting system for me to attack I'll try with what I consider to be a very good one:
- You vote by pressing a button or touchscreen at your polling place
- A paper ballot is printed with your vote that you verify and drop into a traditional ballot box to be counted as usual
- A receipt is printed with some code that you can later use to check that your vote was counted in a cryptographically secure way
- Paper ballots are tallied locally as usual, electronic results are sent encrypted to a central server that can be later used for vote count verifications
- The electronic count and the paper count are done in parallel and both published. You expect small differences in the count (mostly from human error in the paper count) but as long as the results match up to a low difference you trust your election.
- There are no flaws in any of the crypto and all the polling officials are honest (this last part is something the paper system does not depend on)
So this seems strictly better than a paper election right? You get the electronic count just as the polls close, the safety that you can later check that your vote was counted electronically, and the double-check of the paper count to fall back on. So here's how I attack it if I'm just a skilled hacker working alone:
- Work as a tech at one of the polling places and intentionally miscalibrate touchscreens. People will register wrong results and get some stories out that strange things happened in some polling places.
- Pick polling places where a minority is heavily represented and break those machines in particular. At worst some extra coverage, at "best" the election gets skewed because those polling places start having long lines and people walk away.
- Spread some malicious code to the general population through any of the normal means (Android apps, unpatched vulnerabilities, etc). I just need to get a small number of common citizens. Have that code intercept the place where you check if your vote was counted and tell you it was not. Hopefully you'll recheck in a clean machine and be satisfied. If possible target politicians and the actual losing candidates in the election so that they are particularly worried that the election was stolen from them.
- Finally hack into the central server where you do the checks to see if your vote was counted and make checks fail randomly.
At the end of this you have seeded pretty deep distrust over the election. Depending on how skilled the hacking is it may be enough to break down the trust in your democracy. I'm not willing to take that risk. But now if you're a very well funded hacker group or a state actor you can do more:
- Hack the network providers and selectively DoS the verification server for minorities or parts of the country that voted against the winner.
- Infiltrate the supply chain of a few of the thousands of suppliers of the voting machines and plant hardware level bugs ...
Whether it's incompetence or foreign attack, the damage done will be the same in both cases, so it's a terrible system to use either way.
You're asking me to prove a negative. I merely said I doubted you knew about receipt freeness because you didn't even mention it as an obvious counterpoint to your claim, which is a reasonable conclusion. If you consider that an “extremely aggressive attack”, fine. It is easy for you to prove me wrong, you just have to point out the comment in question.
In the meantime, I'll continue to assume you either had no idea what receipt freeness was, or deliberately created the false impression that a verifiable voting system cannot be receipt free.
> I wasn't about to go 10 rounds of "but you could do X and then be broken by Y".
You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).
> So here's how I attack it if I'm just a skilled hacker working alone:
So you just assume you can achieve all of this for any e-voting system. Fantastic argument. Really convincing. You may as well have said "Here's how I would attack and infiltrate banking networks or current voting systems surreptitiously. See, we can never trust either of these!" That's just laughable.
> At the end there's a very high chance your election is now fully distrusted and the country is in chaos. Even if it doesn't work 100% of the time it only takes one or two successful events globally for people to distrust these systems, whichever they are.
Clearly wrong as evinced by Estonia's voting system, even in the face of its demonstrated security flaws.
> The scary thing about what I just described is that plenty of it is indistinguishable from what is already happening in some cases in US elections today.
...and it hasn't led to the collapse of the voting system.
> If there are no advantages why do it?
Are you asking what the advantages of e-voting are?
> The difference for eCommerce and eBanking is that under any of those attack scenarios you just go to the bank branch and sort things out, including reverting transactions.
You're assuming banks are always aware of attacks, which is just not true.
> At this point it's on you.
It's not "on me". It's been mathematically proven that a system can possess these properties simultaneously. For example, see
https://link.springer.com/chapter/10.1007/978-3-540-24691-6_...
https://link.springer.com/chapter/10.1007/11818175_22
> You've failed to show that receipt freeness introduces something else that fundamentally "breaks" which wasn't in the original system, despite repeatedly claiming this is so (see also "They fix this issue and introduce others", a claim made with absolutely zero evidence).
The issues that are introduced are exactly all that attack surface that I described how to exploit. You keep insisting that the math checks out but that's not in dispute. The mathematical properties of a well designed electronic system are fine. It's the actual engineering realities of such a system that makes it massively easier to exploit. All those examples I gave and many more are now failure modes you have and didn't before.
> Are you asking what the advantages of e-voting are?
Yes. I live in a country that has heavily invested in e-government but runs very efficient paper elections. I go in on a Sunday at my convenience and get the results for the whole country 2 or 3 hours after the polls close, extremely accurate predictions maybe an hour after. I know of no advantage electronic voting would bring that would be worth the extra cost, let alone the risk and complexity. It's a (very poor) solution looking for a problem.
I can do this multiple times. Each time I void my previous ballot, betraying my previous customer.
Then comes election day, then I show up in person and cast a physical ballot for the party that I favor. As a buyer, my customers have no way of knowing I didn’t void the preliminary ballot by showing up on election day.
Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.
- If every time you vote you get a receipt for that vote that can be checked if it's still valid then you can send that receipt to the buyer and he can then check that your vote is still according to his purchase - If you can only check that the receipt was registered but not if it's still valid you can't check that your vote was correctly counted because you don't know if the vote has been changed after in multiple possible ways - If you can check that the vote actually is for candidate A at any time you can sell that access to the buyer for him to confirm - If the only way to avoid all this is to also cast an actually secret vote on election day the buyer now just needs to make sure you don't go to the polling place. Posting spotters at the door is not too hard.
I don't see a way for you to actually be able to confirm your vote was counted and not having at the same time the ability to sell your vote in a verifiable way. Perfect verification isn't needed either. If you're selling your vote to the mob you'll have second thoughts about failing to deliver. If you make the process easier "honest" sellers will create the market.
> Note that frauding vote buyers this way is also possible in most election systems that have non-digital preliminaries.
Most I know are actually harder because you only get the single mail-in ballot so you can't do the double or triple voting. If you can show up on the day and invalidate your mail-in then part of same can be done. Depending on how the invalidation of the mail-in is done it can be even sketchier. But I don't consider mail-in and absentee paper votes to have enough security guarantees either way. Paper ballots, in a box, counted by adversaries is the gold standard. Everything else has a high burden of proof.
Someone with a paper ballot can photograph their ballot with a phone of spycam, to prove their vote to a buyer.
It's easy enough to deploy spotters without being found out. Just deploy spotters as exit pollers, they're already part of any modern election :)
And thinking about it some more the Estonian system seems perfect for vote selling. You just provide your ID card and PIN in the last day of early voting and get it back the day after the election. The buyer can vote in your name and hold your ID card to make sure you can't vote in the booth.
I don't know of any reason why it could be accessed, though since parliament is sovereign "if a judge agrees" is always a safe disclaimer to add since the underlying law can be set.
It's hard for me to express what a terrible idea this is. Pray you never get a government that would exploit this.
Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote
Then you have to trust the system to tell you the truth.
These systems can be hacked or just designed to give you false results in the first place.
Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote
My main criticism is that as it is it could still feed the card with the wrong vote to sign. The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.
However it requires trust in the officials to do their jobs correctly and to not tamper the tally.
I, personally, love a lot of e-Estonia initiatives, but consider electronic voting to be a bad idea, unless you are ready to get rid of the anonymity of the vote (you can have secure non-anonymous remote voting)
are not immune to attack either. Unless you go to the extraordinary lengths of making your own hardware in a facility you secure and keep secured for the duration of your democracy, there is no such thing as a 'secure device'. Not when the prize is something so hugely lucrative and advantageous as control over an entire country.
All assuming you trust your government. With opposition parties monitoring vote counts, that's easy. But what about when they have to look for dopant-level chip defects?
This feels safe, and as they have the original paper, they can revote - but they have all the ones in the district in a box somehow.
It is not without reason that most common fraud here in Sweden (around 80%) is someone calling under false pretense asking a victim to use the hardware token in order for the fraudsters to create a new electronic id which is then used to empty the bank account, create credit accounts, and so on. So far those security tokens has had a perfect track record from a hardware perspective, as much good that does. Maybe that is a bomb waiting to explode but it is hard to see a stronger incentives for criminals than what already exist.
When people here discuss electronic voting, security of the hardware tokens is not usually brought up. It is rather all the other elements which makes it a bad choice. There would be no physical ballots that can be verified, questionable anonymity, and a loss of a controlled voting environment. All the common solutions to those problems usually results in the conclusion that it then easier to just keep the current system as is.
"The authority might just lie about the count or throw away or counterfeit votes, or coerce voters other vote a certain way" is not solved by paper voting either, as seen in Russia and many other places.
In other words: It doesn't help at all against malware on the computer.
> The (state-provided) USB reader should have a small lcd screen to sum up the thing being signed "Vote for Ms.Ryjavik on election #123" "Vote for Yes on vote #432" and a confirmation button.
In other words: If the USB firmware is infected, it's still not secure.
> With these modifications, and the ability to check a cast vote has been received, you can have secure elections on insecure devices.
So, if you are using secure devices ... then you can have secure elections on insecure devices? In this scenario you aren't actually using the insecure device, other than for establishing a connection to the internet.
Or rather, as you described it, it also functions as the input device--but that is a security problem because it can be used to violate the secrecy of the vote, so it's not actually secure that way either. The only way to make it secure (sort-of) is to not use the insecure device.
> However it requires trust in the officials to do their jobs correctly and to not tamper the tally.
And that is the reason why electronic voting is not an option. Elections have to be able to remove a government from power against its will. An election process that depends on the integrity and honesty of the government that you want to remove from power is inherently broken. An election process that only works when there is no conflict is not a useful election process.
In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.[2]
If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?
[1] https://news.err.ee/916525/vote-miscount-in-narva-may-cost-e...
[2] https://www.votingjustice.us/tags/election_integrity
With electronic voting nothing stops sysadmin from doing UPDATE votes SET vote = 'Good Candidate' WHERE vote = 'Bad Candidate'.
Also, they cannot store signatures with votes because that would disclose voter's identity and their choice. They have to store signatures separately from the votes and it means that the votes can be freely modified.
Here is what Wikipedia says [1]:
> This criticism was underscored in May 2014 when a team of International computer security experts released the results of their examination of the system, claiming they could be able to breach the system, change votes and vote totals, and erase any evidence of their actions if they could install malware on the election servers.
Of course, the government can install enything on its servers.
Here is a quote from a report on vulnerabilities [2]:
> The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.
> ...
> The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.
Read: the government can "draw" any outcome they would like. Maybe they already did it, who knows.
[1] https://en.wikipedia.org/wiki/Electronic_voting_in_Estonia
[2] https://estoniaevoting.org/findings/summary/
I can't imagine how Trump won Wisconsin and Michigan except that maybe Voter ID laws made it harder to commit the necessary fraud. Even still, the recounts were only stopped when massive fraud was detected and had to be quietly swept under the rug lest the entire populace find out what a sham our elections truly are.
Also, the whole Russia thing is a lie. It's easy to see that it's a lie--no actual evidence has ever been presented, just innuendo repeated over and over again. That's how propaganda works, you repeat it over and over until people stop questioning where the "facts" came from. The US badly needs to break the backs of the propagandists. We need real journalism again, not this 24/7 Pravda bullshit.
So, could you point to any one election in Estonia's history where electronic voting would have been any better?
> The Soviet era showed that election fraud happens anyway.
That's just bullshit. Just because a solution for a problem is not perfect, does not mean it's useless and that every non-perfect approach is equally bad.
> The problem with paper voting is that mistakes in counting happen very often.
Which is irrelevant to the discussion of security. Mistakes are a very different thing from intentional manipulation, both in how you can prevent them and in the effects. In particular, mistakes tend to average out, which is why they usually don't matter for elections as long as they happen at a reasonably low rate.
> In the 2016 US presidential election officials basically typod the election results in the town of Hazelhurst in Wisconsin, where almost half the votes went missing until a citizen volunteer noticed the mistake. The party officials nor election officials caught the mistake.
... which is why we should employ a voting process where only the election officials have any insight into what is going on, so we minimize the chance that a citizen discovers any errors?
> If mistakes like that can happen then how often do they go unnoticed? How often are these mistakes deliberate?
... and how would an election process that is completely opaque to the public possibly help with any of that?
You can check who you cast your vote for through online voting. You can do it 3 times for half an hour after you voting. You cast your vote on a PC and at the end the voting software shows you a QR code. You can then use an app on your phone provided by the government to check who your vote was counted for.
Read more here: https://www.valimised.ee/en/internet-voting/checking-i-vote
You have no way of asserting that that was the vote that was actually counted in the reported result.
httpp://news.mit.edu/2009/rivest-voting
Of course you need monitors from all interested parties to prevent ballot stuffing, but that's true in every election. It's up to monitors to read the voter list and verify that (probabilistically) there are no/few fake voters on it.
> Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection.
[1] https://estoniaevoting.org/findings/summary/
Listen, if an attacker can subvert 30% of the votes, don’t you think they would also be able to subvert 30% of bank accounts which would use the same security? Banks let use an app to withdraw $100,000. Why not for voting which is far less valuable?
Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way. If you are concerned about the vote being illegitimate then have everyone submit an encrypted video of themselves saying the vote along with the vote, and the app recognizes what is said, displays it on the screen and the person clicks OK.
EDIT: To the automatic downvoters - why do you trust your bank’s app to manage a lot of money but not an app for voting?
For a bank, you have a PIN that is tied to your identity. You may also have a second factor that is tied to your identity. The bank can use this to positively identify that you are the one making the transaction, and tie it back to you.
You can also verify the transactions after the fact because it isn't anonymous. You can log into your account and check to make sure what the bank thinks happened actually happened. And if it didn't happen the way you say, you can contest it.
Also, the risk is actually lower because the bank assumes liability. If a false transaction is made you can protest it and if you prove that it wasn't you who made the transaction, you get your money back. With voting, you can't get your vote back.
You have to sign the outer envelope, which can be verified (and is not anonymous).
> Think about it... anyone can just as easily bring a ton of paper ballots and stuff the box that way.
There are a lot of controls in place that prevent that. Number one, the ballot box is never attended by just one person. Number two, the count of ballots has to match the number of people whose identity were verified and voted, and that verification is done by different people.
To stuff the ballot box, you'd have to buy off every poll worker in that precinct, get the list of everyone who didn't vote, pretend to vote for them, and make sure your ballot counts lined up. Since each precinct only serves a few hundred people at most, you'd at best get to put maybe 300-500 ballots in the box. You'd have to do that at every precinct.
You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.
All the matching of counts etc. can be done electronically too.
Unless your device is compromised.
> Either way, someone can theoretically forge your signature.
They could forge your signature, but to be effective, they need to forge thousands of signatures.
> You don’t have to get a list of those who didn’t vote. You just take the pile of punched ballots or whatever and replace them with your pile.
No, the ballots all have unique numbers and the list of numbers is stored separately. You'd have to buy off all the poll workers to pull that off, and you'd have to reconstruct all the records to match your fake ballots.
> All the matching of counts etc. can be done electronically too.
Sure it can be, but not securely, and security (and integrity) is the number one goal of a voting system. Convenience and speed are secondary.
Let's put it this way -- the State of California only does paper ballots. No voting machines are allowed in the most populous state. Why? Because they engaged many security consultants and couldn't figure out a way to vote electronically that was safer than paper.
It takes over a month to certify a California election, because every ballot is cross checked with the precinct records, they randomly recount various boxes of ballots, they check that the outcomes are in line with the polling data, and they verify every single signature on every absentee envelope.
I think that, once you start there, you will see that you can compromise those just as easily as a bunch of random iPhones.
I think you're too enamored with technology to see that in this case it isn't being luddites about it that is the problem -- it's that very smart people have tried to solve this for a long time and come up with nothing.
It may be time to admit that the hundreds of security professionals with thousands of years of combined experience may just know more than you about election security.
If such a system could be made that it somehow was able to verify that you are actually the individual registered to vote, but also anonymous so no-one could possibly trace what you voted for. Then you need to be able to setup a secure and verified connection (but still anonymous) but unlike your bank account, isn't the target of multi-international efforts to subvert democracy to gain political favour. Deciding what compatible devices and technology should be used and to ensure that all of the voting population has access to it is another challenge.
Another thing required is for there to be a presence of the candidates or representatives on behalf of them that can monitor the voting process and call out any foul play, which would require people with the right expertise to examine the system so they know it properly counts the votes. Which means a open-source system is required, but the exact details of how it verifies voters will also be exposed.
And what happens to the votes, are they not stored at all or stored temporarily? How do you do a recount if they are not stored and if they are, how do you make sure that data is destroyed completely once the result has been declared?
These are all questions that nobody seems to have a practical answer to.
One thing the Estonian system does is that you can verify your vote on a mobile device by scanning a qr code that you see when you cast the digital vote. A vote can be checked after i-voting for up to three times during half an hour.
I imagine if any mismatch was detected the country would shut off i-voting immediately.
Further reading: https://www.valimised.ee/en/internet-voting/checking-i-vote
Also, no method of voting is ever going to be 100% safe. It's not like there haven't been any unfair elections using paper ballots.
See Halter Vote:
https://books.google.com.br/books?id=7gPvCgAAQBAJ&pg=PT144&l...
https://translate.google.com/translate?source=osdd&sl=auto&t...
--
[1] https://ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&...
(Spoiler: Opsec fails begins at 42 min. But watch the whole thing, it's interesting.)
It might be prudent to point out that Estonia is one of the better e-voting systems. Voters can override their e-vote with a regular one on election day. However that just means that other systems are mostly even worse.
Citizens are lead to believe the voting system still works as usual but in the fact the results are manipulated to keep the same person or group of people in power. Which can probably last for a while. Meanwhile the person/group in power can take control of all parts of the state until it slowly fades into an obvious dictature.
This works because most people don't understand technology well enough to understand that electronic voting is very far from secure.
Why are physical barriers restricting public engagement a desirable trait in a democracy?
People want convenience. Citizens would like to vote online, and are largely ignorant of the technical challenges that make it impossible to secure, at least on your average everyday Internet connected consumer device.
Its the job of us techies to keep shouting from the rooftops how all these implementations of online voting are deeply flawed and exploitable the same way climatologists have to keep screaming from the rooftops about the damage rising co2 is causing to our biosphere.
You would have to have an allowance for certain Disabled and Housebound voters and maybe be allowed to miss one election.
I think we have moved beyond that sort of limited franchise.
Btw "active citizens" is a reference to the French revolution
Also, I am a bit worried that online voting might give young tech-savvy people an advantage over old and poor people who don't have access to computers or mobile phones. Has there been studies about demographies in these elections?
[1] https://en.wikipedia.org/wiki/2015_Estonian_parliamentary_el... [2] https://en.wikipedia.org/wiki/2019_Estonian_parliamentary_el...
Same smart card is used every online service in Estonia. 96% taxes are done online.
So online voting is not something new for older people. It is just like every other online service.
Unless you inspect every voting machine, smart-card reader, internet connection, encryption algorithm, etc. for every election completely, you can potentially manipule millions of votes from your home from the other side of the planet. Or on a smaller scale, change all votes of one or multiple voting machines.
You don't need to inspect every internet connection, there's HTTPS.
The key is that one should be able to verify one's vote to ensure that it was properly recorded. If everyone can verify their own vote, then they can verify that the voting wasn't hacked. With paper voting, it is impossible to verify your own vote - it is equivalent to tossing it into a black box.
One might say "then people can sell votes!", but as Estonia has done, you can have it so that one can vote multiple times. And of course there should be extraordinarily stiff penalties on anyone buying/selling votes (I'd say minimum $30k or 20% of one's total wealth fine + prison time).
Needing paper ballots is holding back democracy. E-voting would revolutionize democracy and for the first time in history allow a true direct democracy at scale. Of course e-voting cannot be conducted by emailing votes or some other insecure nonsense like that, but it is ludditism to suggest that it cannot be achieved, which many seem to suggest. This kind of thinking is literally holding society back.
Each reporting station must accept observers and counters authorised by each of the interested parties with local representation. It's a big deal when this process is compromised and always makes the news. And these counters and observes are generally your neighbours from the local community so there is some amount of trust already. Further the section count is acknowledged back from the central counter.
HTTPS doesn't have the proper guarantees for this application.
Changing votes doesn't have the proper guarantees that people won't be buying or extorting votes. Not that it matters, because that's not really the biggest concern with evoting.
Penalties also don't matter against a malicious state actor for any abuse. As an example, Chinese spies go after the relatives in China of US tech employees to force cooperation. A state actor can stack the deck without anybody to prosecute even if caught.
Bottom line is: Conservatives / nationalists are preferred by older folks and these parties lobby against anything that can give votes to liberals. They also know that youngster might skip the voting after all if we would go back to paper voting all together. Also there will be major reputation loss. But since conservatives are against EU, open-trading and anything outside our teeny-tiny pond they don't give a flying fuck about that.
We could have more direct democracy, with high-frequency referendums, reversible proxies, publicly submitted or endorsed bills. The democracies we have were designed around mechanical limitations, so it stands to reason that (at least some) democracies would change when those limits go away.
That said... there seems to be a dearth of ideas, at least few seemingly useful ones that I ever hear.
If you were making a new constitution for a village or city, what could be done with electronic voting and how does it make it better?
BRTW, links welcome.
Rest in peace, democracy in Estonia.
Well, no they the main proponents of e-voting figured a long time ago that it's easier to eliminate those concerns using propaganda. For example if you are against e-voting media will brand you as a backwards russkie who hates Estonia.
But the very basic problems are not talked about, namely: * Votes should be counted by independent parties while preserving anonymity * Certificate issuance should be actually monitored by CT logs, every vote that is not in a CT log is dismissed and logged * Voting code should be actually readable and audited (only opsec has been audited so far)
There are a few other problems but I've forgotten them for the time being. These are the problems we should be talking about, not some bogus like, "Omg how can ten grannies vote quickly online".
> former USSR citizens who lived in Latvia and Estonia and were deprived of the right to receive its citizenship after the collapse of the USSR
What right? Merely living in Estonia doesn't give you any right to citizenship. What's more, it's not that difficult to get citizenship. The main obstacle is learning the local language, as that's part of the test to gain citizenship. All these non-citizens refuse to do so. They take pride in being Russian and speaking Russian. They are openly talking about how great Russia is and how they are waiting for Russia to unite them with the motherland.
Estonia gained independence in 1918. Just because USSR occupied us [1] and transported a bunch of people here doesn't give them any rights to citizenship. The Russian population in Estonia grew from about 23,000 people in 1945 to 475,000 in 1991. [2] Now making up for a whopping 30% of the whole population! This is due to systematic transporation of people as part of Russification [3] where the Russians attempt to eradicate native cultures.
After the collapse of USSR it was possible for them to go back to Russia and/or get a Russian citizenship. Some did that, but all of these non-citizens still left are people who decided that life with fewer rights than citizens in Estonia is better than becoming a Russian citizen and living in Russia.
--
[1] https://en.wikipedia.org/wiki/Occupation_of_the_Baltic_state...
[2] https://en.wikipedia.org/wiki/Russians_in_Estonia
[3] https://en.wikipedia.org/wiki/Russification
--
[1] https://en.wikipedia.org/wiki/Citizenship_of_Russia#Citizens...