37 comments

[ 2.7 ms ] story [ 72.1 ms ] thread
It may not be a popular opinion around here, but the best election guard is doing them with pen & paper.
100% agree.

If automation is needed, use scantron technology (where you fill in bubbles on actual paper), which can be manually audited if necessary.

No firewalls, phishing, spectres or meltdowns.

The Hanging Chad 2.0
"It is very important that you use a No. 2 pencil. It is very important that you fill in the entire circle darkly and completely. If you change your response, erase as completely as possible. Incomplete marks or erasures may affect your score."

And here I was, thinking I was done with scan-trons when I finished high school.

But seriously, couldn't you modify a scan-tron's firmware to falsely report results? It's much harder to tamper with every person in an election across wide geographical areas.

A hand recount of the physical ballots would hopefully expose the correct count if a modified scan-tron was miscounting.
...which takes us back to hand-counting. In that case, what is the purpose of scan-trons in the first place? They may be easier for machines to grade, but are harder for humans to grade (harder to follow question number to line). So we will lose time gained with scan-trons to slower human re-counts.
When margins are wide, you could count 10% of the ballots by hand as a sanity check on what the machines are reporting.

When margins are close, you could count them all by hand.

Pretty sure we could develop ballots that are easy for both humans and scanners to read. By using computer vision rather than whatever they had in the 1980s I'm pretty sure we could find a solution here.

Even so, given the value of our democracy, I'd happily support returning to counting all ballots by hand every election.

I think it actually is a popular opinion here, and in general, among people that write software and/or have a basic understanding of encryption.

Ever tried to get a non-technical person to use any kind of non-"automatic" encryption (eg, anything they have to directly interact with, as opposed to something like HTTPS)? Now imagine that but include people that can barely use their phone/computer.

Care to explain why you think pen and paper is the best solution?
It is documented all the way down to a single vote (some voting-computers must implement a paper-trail as a secondary feature, here it is free). Tempering is very hard when there are enough volunteers, providing oversight over the procedures. Everyone (not just security specialists, versed in reverse engineering) can verify if a vote has been tempered with.

Well that said, I don't think its the "best" solution per se. It is wasteful -- a lot of paper must be produced for this single task. It is not completely free of loopholes, but they are burdensome and can be verified by a second count. And I can understand why countries like e.g. India or Indonesia use computers in this situation, millions upon millions of people cast their vote over a limited time period -- it's a logistical nightmare.

But it is far better than trusting a computer, that by definition "can do everything computable". And falsifying an election is definitly computable.

>Everyone (not just security specialists, versed in reverse engineering) can verify if a vote has been tempered with.

Tampering with paper elections is extremely easy. You can throw out entire ballots, fill in choices where left blank, or force the ballot into an invalid state.

Not to mention the task of counting ballots using people necessarily requires splitting up the task and trusting people.

Electronic voting systems are supposed to address many of these problems, especially as processing the election becomes laborious. We don't need to give up on electronic counting solutions. We just need to make them impervious to tampering and/or verifiable.

>But it is far better than trusting a computer, that by definition "can do everything computable". And falsifying an election is definitly computable.

Tallying up votes by hand is also computation, you're just switching silicon for people.

> Tampering with paper elections is extremely easy. You can throw out entire ballots, fill in choices where left blank, or force the ballot into an invalid state.

Hard to do this while you're being watched by observers though...

And if you need to recruit many people to make your tampering scheme work, then it's much harder to keep it a secret.

The trust model for elections is fundamentally a human one: the hundreds of thousands of American volunteers (mostly senior citizens) operating via transparency, norms, and good faith. All the tech in the world, even the most solid FOSS crypto, couldn't fix it if the process were corrupted at the human level.

The best reason to use pen and paper is to ensure that the process is auditable and legible to the most number of regular citizens, not only for security and integrity, but for perception and public trust, which are arguably the most important backbones of democracy. (We may have low confidence in some aspects of our system, like gerrymandering and voter roll purges, but we almost take for granted that once one is in the booth, there's a high reliability that one's vote will be counted correctly.)

Paper ballots, hand counted, twice.

This is still the most optimal current system as it much harder to corrupt at scale. The proprietary systems we have can easily be corrupted at the time of aggregation. There have been enough examples of people demonstrating simple tally hacks that there is no way to know if any election is genuinely counted accurately.

That's not to say that its impossible. I think block chain has some promising potential here but databases that are proprietary are completely untrustworthy today.

Are forgetting the dumpster fire of 2000? If votes can get invalided because of a hanging chad, what hope would a bubble not being filled out completely have?
https://xkcd.com/2030/

Best part is the alt text though...

"There are lots of very smart people doing fascinating work on cryptographic voting protocols. We should be funding and encouraging them, and doing all our elections with paper ballots until everyone currently working in that field has retired."

It's a terrible idea. Paper-only elections are easily corrupted. The right answer is combining paper & electronic.
But tampering with a paper-only election requires physical interference and working across many different locations. It is much easier, if you have the talent, to break into an electronic election.
That's why you use both. Paper for tallying and electronic for auditing. I used to think electronics wouldn't help but now I'm starting to be convinced.
Tallying is only a problem if polling stations are overcrowded.

The simpler solution is to hire more counters. I can't imagine that'd be more expensive than developing custom hardware & software.

Also less expensive than transporting and deploying an enormous amount of computers and networking equipment on Election Day.
Electronic elections suffer the same corruption issues but are more scalable.
What you are proposing it to "recount" when the electronic voting does not match expectations. It's a awful idea, and is equivalent to electronic-only voting since recounts are expensive and get challenged in court.

Why Electronic Voting is a BAD Idea: https://www.youtube.com/watch?v=w3_0x6oaDmI

It will be possible to use ElectionGuard as the core of optical scan systems. This will give end to end verifiability properties on the recording and counting mechanisms.
Ballot boxes ended up in rivers and lakes when it was pen and paper. You need both. This is a good start.
> The ElectionGuard SDK will be available through GitHub beginning this summer. We encourage the election technology community to begin building offerings based on this technology and expect early prototypes using ElectionGuard will be ready for piloting during the 2020 elections in the United States, with significant deployments for subsequent election cycles.

Where is the "we invite interested developers and groups to audit this code and try to build exploits" stage?

> recently received $10 million in funding from DARPA to build a demonstration voting system

and maybe with a bounty reward program?

Then again, maybe because this is more of a reference implementation designed to be incorporated into other products (MIT license) maybe the only thing that matters is how the final implementation is done?

My understanding from previous articles is that the DARPA grant went to coming up with the architecture and spec, then vendors would do the actual implementation. This looks like middleware.

From this random coder's perspective, the architecture previously designed sounded good. Voting and tallying were two separate systems. A physical, user-decipherable, paper that the voter carries over connected the two (it sounded something between a QR code and scan-tron).

It's good to see an open source codebase that multiple vendors would implement against.

Cool use of Hom encryption, but does nothing about disenfranchisement.
Gerrymandering, preference distortion through no proportional voting systems, Duverger's Law. I mean, I'm glad people are working on the problem-space of democracy, but I'd guess that other issues more greatly effect voter disenfranchisement and apathy.
The problem in 2016 wasn't that anyone "hacked" our election, it's that they hacked our electorate. Turns out that people's opinions are much easier to change than cast ballots.
One problem at a time. This wasn't specifically intended to address disenfranchisement. But commoditizing the infrastructure helps protect against "we don't have enough resources to let all these people in an underserved community vote."

In previous (recent) elections you hear about voting machines sitting in storage or running out of paper ballots. Having a mature and open voting infrastructure allows old, commodity hardware to be used (including paper) instead of expensive, proprietary machines that can go "out of date" and "no longer supported/updated."

You can't solve a political problem by providing access to tools.

Politics is all about which tools are used and how.

Love that there is more movement around solving this. Paper ballots DO NOT allow a voter to verify there vote was counted and is a huge issue with TRUST. Allowing users to verify their votes (however it happens) COULD have a big impact in voter participation.

Looking forward to seeing this movement keep advancing.

There is one more problem with encrypted elections not yet listed here; the vote is secret for now but 5, 10 or 20 years later it will be easy to break.

This might mostly be a problem for those then powerful, if someone find out that they voted "wrong" long time ago, our trust in them will be reduced. Yet a way to do negative campaigning.

Holy cow. This is like using inmates to process rape kits.