49 comments

[ 2.1 ms ] story [ 70.7 ms ] thread
The title is misleading. It's an e-voting PILOT. That's important. "Switzerland is running small-scale e-voting pilots in four of its 26 cantons", three of which were not affected.

From Wikipedia [1]:

> A pilot experiment, pilot study, pilot test or pilot project is a small-scale preliminary study conducted to evaluate feasibility, duration, cost, adverse events, and improve upon the study design prior to performance of a full-scale research project.

[1]: https://en.wikipedia.org/wiki/Pilot_experiment

Meanwhile Brazil does full e-vote for almost 30 years collecting more than 100 million votes (that's 11 times the whole of Switzerland's population).

You'll get there Switzerland, it can be done. It is safer and faster.

eVoting cannot be understood and audited by normal citizens, not even by nerdy ones. It's just good for the trash.
It’s a nice property of elections that you can measure votes needing more intervention against the margin of victory before you decide your next step
I don't care how much maths and encryption you use, you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both.

- Switzerland usually gets around this by knowing where everyone lives and mailing them a piece of paper 'something you have'

- South Africa gets around this by putting ink on your fingernail

I've read quite a bit about the e-voting systems in Switzerland and USA and I just don't see how they thread the needle. At some point, you have to give someone access to a database and they can change that database.

Until we all have government-issued public keys or something, there isn't a technical solution to this? (Genuinely curious if I'm wrong here)

yes you can.

each citizen gets an anonymized private key via a secure channel (eg. postal) and use that to vote.

votes are double enveloped: outer envelop: anonymized id + inner envelop: vote.

mixnet separates the votes and cryptographically shuffles them to decouple relationships.

only at the end the shuffled votes are decrypted using the private key of the election itself that was split using shamir secret sharing (eg 5 out of 7 shares to reconstruct)

the thing that’s not clear from the article and it’s a shame is that it seems the failure was the hardware (the 3 USB keys) not the election software. This could be simply avoided by having redundancy on the hardware (2 USBs per share) or more shares themselves (5 out of 9 shares)

On the US keep in mind elections are run at the state level and below, so we don't have a single voting system, we have 50+.

My state, Oregon, for example uses a very straightforward vote by mail system. They ask if you wanna register to vote when you get/update your drivers license or state id. Your ballot just comes in the mail, you fill it out, send it back. For folks that lack a permanent address or similar, you can get provisional ballots at libraries and similar city offices. The provisional ballots make you fill out enough information to check if you're allowed to vote.

It's simple, convenient, secure, and efficient.

So why don't more states do it this way?

Unfortunately there's a long ugly history of using all sorts of dirty tricks for voter suppression in the US, in particular to keep Jim Crow going. And unfortunately variations of that continue today. I don't have the energy to dig into it fully here, I just want any international readers to be aware there's a whole lot of utterly craven bad faith when it comes to discussions around voting fraud and security in the US.

Sorry, isn't this dead simple?

Maintain a list of identity hashes. When someone goes to vote, deny them if they're already in the list . Otherwise, add their hash to the list then allow a vote to be cast.

I think with zero knowledge proofs we can have it both ways?
The Italian way looks similar to the Swiss way. In detail:

When I go to cast a vote in Italy I bring with me my state issued photo ID (everybody has one, I mean: must have one) and a state issued sheet of paper with the address of the place I must go to vote and a grid of empty spaces. I don't have to register to vote, basically I'm registered at birth. The people at the polling station take my two cards and look for me in their registry. They mark that I came to vote, stamp an empty space on the second card and handle me the paper ballots. I think that in this way it's both anonymous and verifiable. When the card with the stamps is full, they mail me a new one.

The state definitely know where people live. Babies are registered when they are born and people have to register any change of their address of residence. It's been like that at least since Italy became a country in the 1860s.

By the way, how do I know that they counted my vote as I cast it? I can't know it. I must trust that they did not open the box and replaced the ballots, but people from the several competing parties visit the polling station and can attend the counting. I trust that process much more than something happening inside a computer program.

> ...the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both.

Isn't that what secure hashes do? ID to hash is anonymous and checking for duplicate hashes verifies only voting once.

This is just plain wrong.

An extremely simple scheme is allowing voters to enter an identifier of their choosing and displaying that with the votes publicly. This is both verifiable and anonymous.

Any issues you can come up with this scheme are also iirc pretty easily solvable.

> you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both

Seems like the obvious solution here would be for the voting machine to generate two separate records:

- A record of the vote itself, without specifying the voter

- A record of the voter having voted, without specifying for whom/what

And of course, if the number of vote records doesn't match the number of voter records, then shenanigans have likely ensued, warranting an election fraud investigation.

(comment deleted)
> Until we all have government-issued public keys or something

Nah, that still boils down to "you have to trust government". And I preferred when "Why would they care how I vote?" was a rhetorical question.

Swiss vote one-time private key comes in the same envelope as your certificate of eligibility and ballots for postal votes.
> you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both.

Actually, I think there might be a way to get both. I've been thinking about this while building my app SoWasIt.

The idea: A public chain records that "user X voted at time T" (like a digital voter roll). It's immutable and public. "user X" could contain voter Id, name, like on a signing sheet. The vote itself (the choice) is stored separately, with a random UUID generated. Privately during the vote, no timestamp, no incremental id, no link to the voter. The UUID is sent back to the voter who will use it to verify his vote integrity. At the end, all votes are published in batches (anonymous UUID + choice in clear). Ideally in an immutable chain so it can't be altered later (and ideally for me on my app )

=> You can verify your vote by looking for your UUID in the final table. => You can verify that the number of votes matches the number of voters (public chain count = final table size) => you can verify the counting for each candidate

=> You can't link a UUID to a voter unless you have both the UUID and the voter's identity, which only the voter knows.

It's not perfect, you still need to trust that the system doesn't secretly store the link between voter and UUID, or have a man-in-the-middle system to intercept votes whil it's processed. And to not add fake voters: That's why you need to publish something like voter cards ids, so that anyone can go to the administration, check that a specific voter actually exists.

So no, it's not impossible to have both anonymity and verifiability – it's just hard, and it shifts the trust to other parts of the system. But that's politics, not just tech

Anyway, in my humble opinion, people manage to cheat with traditional paper vote (mostly because citizens don't care enough to spend time lokking after the ballot box till the end), electronic can only make things worse. And as the French comedian Coluche once said: "If voting really changed anything, it would have been banned a long time ago."

That's a very exact number if you know what I mean
You mean round, not exact.

Looks like some block-size thing.

Stories like this probably scare some people off from electronic voting but I don't think this is that big of a deal. When we finish voting operations in my area we load the ballots up on someone's personal vehicle and they take them down, securely, to where they need to go. That vehicle could get blown up and those ballots could be gone, though I think we could still get a record of the results.

That being said for the United States, I am in favor of in-person voting requiring proof of citizenship, and making "voting day" a paid national holiday. Not so much for technical or efficiency reasons but for social reasons. I'd argue it should be mandatory but I don't think we should force people to do anything we don't have to force them to do, and I'm not sure we want disinterested people voting anyway.

Exercising democracy, requiring people to put in a minimal amount of thought and effort goes a long way. It should be a celebratory day with cookies and apple pie and free beer for all. Not some cold, AI-riddled, stay in your house and never meet your neighbors, clicking a few buttons to accept the Terms of Democracy process.

I know there's a lot of discussion points around "efficiency" or "cost" or "accessibility" or how difficult it supposedly is to have an ID (which is weird when you look at how other countries run elections) and there are certainly things to discuss there, but by and large I think the continued digitalization and alienation of Americans is a much worse problem that can be addressed with more in-person activities and participation in society. We're losing too many touchpoints with reality.

(comment deleted)
Brazil has digital voting since 1996 and it works pretty much flawlessly. I'm sure Switzerland will figure it out someday.
> Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future!

> Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.

sigh

This is why you do parallel paper/electronic voting. Fill it out electronically, it prints a receipt (maybe including a QR code), you mail the receipt (along with the 'classic' absentee voting stuff, i.e. double envelope, proof of eligibility to vote in the outer envelope.)

Oh and as a side effect it can be audited very nicely.

Why is everyone so obsessed with automating voting? It seems to me to be a 'solution' to a non-existent problem.
(comment deleted)
If implemented properly it has some significant advantages: faster counting, votes can be verified, more resilient to fraud. Unfortunately it seems like nobody is implementing it properly yet.
> It seems to me to be a 'solution' to a non-existent problem.

Electronic voting has lots of advantages. It can be end-to-end verified, it can be a great help to disadvantaged people (blind, illiterate), it can deliver results faster, it can probably be made more robust to retail-level tampering than paper ballots provided a paper audit trail it kept (as all electronic systems designed with security in mind do).

The one question mark in my mind: the current US system resisted Trump's efforts to corrupt it pretty well. I think that was because of the inertia created all the people involved in staffing the ballot stations, counting and verifying the votes. The machinations of the electoral college being highly visible put people doing the wrong thing at high risk for decades after Trump leaves the stage.

An automated electronic system could remove a lot of that human inertia. Human efficiency is not an advantage in an electoral system, it's a weakness. You want as many people involved as possible.

I wish the article had more technical details. Obviously, 2048 being a power of 2 stands out as being possibly related.
It was a pilot. Isn't this (kinda) good news that this "bug" was caught and now the next iteration will be closer to the intended behavior?
honest question - has any country actually deployed e-voting at scale without running into serious issues? it feels like every pilot i read about hits a wall at some point
While this sounds like it allowed remote voting, it's interesting that some places (e.g. The Netherlands) went back to 100% paper instead of voting machines. That causes counting to take quite some time, with estimates/interim counts in between.

I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database. That is 100% anonymous and can't be cheated. The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.

No way to hack that. If you print something different on the paper the voter will see it. If you try to hack it by printing more papers than actual votes, the paper count won't match the amount of voting passes that you collected/verified when letting people into the polling station.

It may even be safer than the current paper approach, because if the paper vote counters try to cheat their counts won't match the database triggering an investigation as well.

If the paper vote is the source of truth, then the database just seems unnecessary.
I don't understand the need for e-voting. Germany's entirely paper-based system works fine! After voting closes, volunteers count the votes for a few hours and we get a result.
Everyone ever involved with IT in Swiss governments (both on a cantonal and on the federal level) will not be surprised.
Paper has a trail, e-voting makes it's own trail.

No thanks.

The biggest advantage physical voting has it is follows human-scaling laws. Which often is a problem (inefficient) but for voting this is a massive benefit for one particular reason - due to lack of automation any fraud doesn't also benefit from the same automation so has to be large scale and widely distributed for it to be impactful (the fraud has to be distributed to the humans involved). Which isn't to say that it can't happen (and does!) but requires a lot more effort and in the physical world there always a lot more fingerprints left, cameras looking, informants, etc.
Paper ballots work just fine. Why are we using tools for scale (computers) when voting is an incredibly small and finite domain. Just total waste of tax dollars and over engineered solution to a simple problem.
Paper ballots are a must. Vote on a touchscreen, then have the terminal print out a voter-verifiable paper ballot that can also be machine counted.

Make the ballot printout layout a standard format. Then machines from multiple vendors can verify the counts on a subset of the ballots. And as a last resort, the ballots can be hand counted as well.