This is a bit of a tangent but I think reports like these strengthen the argument against electronic voting. There's basically no way of building a secure electronic voting system that can beat the security and auditability properties of old school pen and paper voting.
Generally a lot of voting security experts advocate for paper ballots with electronic counting. It is very robust, efficient, has great fallback, and lots of systems available to keep secure.
I envision a system where after I vote I rip off the top of the card and am able to use that hash like token to later verify that my vote was counted correctly
That's only viable in countries/situations where secret ballots are not a strict requirement and vote buying is not perceived to be a problem
With paper ballots if you want to be sure that your vote was counted correctly you generally can go and see the counting process, as a bonus like that you help ensure that every vote is counted correctly
It’s possible to keep it secret, it’s just more complicated. I proposed one such setup in an old comment. Quoted here with some fixes.
“What if you get the receipt with UUID and your voting choices, then at a separate kiosk only in the polling station, you can enter your UUID to view the full results as posted online (meaning electronically recorded and stored). Along with your UUID and results, a hash of the two is displayed and can be printed onto your receipt. Before leaving the station, you must detach and dispose of the plaintext voting choices portion, but you can hang onto the UUID + hash.
At any time in the future, you can enter your UUID into the site, which will compute and display only the hash, giving you verification of no tampering but not disclosing any results to nefarious third parties.”
It’s not foolproof and still requires more trust in maths than just showing your voting choices would. But it does solve vote buying and voter intimidation.
The only time vote buying was historically a problem was when it was decriminalized or legal and done out in the open. The instant it was criminalized it evaporated completely.
Doing it on a scale that is large enough enough that it becomes meaningful quickly becomes impossible even if the police only do a few half hearted sting operations.
Im not particularly in favor of electronic voting but i wish this particular meme would die coz it's mainly gonna be used to excuse voting systems corrupted at the source that the voter cant check.
> The 2010 and 2012 surveys for the Americas Barometer showed that 15% of surveyed voters in Latin America had been offered something of value in exchange for voting a particular way
> 16% of voters [in Africa] were offered money or other goods in exchange for voting a particular way in the most recent election
And yeah, in developed countries and stable democracies it probably wouldn't be an issue, but then maybe it would eventually be, and it's a pretty big flaw to introduce in order to achieve something that is not an issue
You can already check that your vote is being counted with paper ballots, you sign up as a poll observer or worker and you look at the vote counting operations
Brazil was a clear example of where it started out legal (until 1999!). After it was made illegal it declined a lot in spite of really inconsistent enforcement.
Where it happened it was perfectly obvious who was doing it, but the cops wouldnt touch them. It was a crime committed out in the open.
A similar pattern played out in America in the 1800s where it was widespread, made illegal, started out not particularly well enforced and then it gradually became extinct.
Everywhere it's been a problem it's basically been officially tolerated. The crime quickly becomes impossible to commit if it isnt.
This is in stark contrast to many other crimes (e.g. drugs) where even strict enforcement doesnt do much.
No, you could do it in a way where the voter can verify their vote was recorded correctly but can't prove it to anyone else. Trivial method: require the voter to assign random numbers to each candidate. They remember the number of the candidate they chose. The voting system later says "you voted for 6".
You have all of the recording done to a paper tape that the user can inspect as their vote is made. That paper tape is read by machine later. That means you only need to trust the counting machine, which is pretty easy because you can easily do random samples to check it is working, or have both parties count or whatever.
You can't eliminate the possibility that your paper vote is completely discarded and replaced by fake ones. But that's not really any different to existing non-electronic voting.
I think the problem is who builds it. I wouldn’t trust election software that wasn’t open source with a lot of eyeballs on it. Diebold wasn’t exactly a shining example to set. Preferably a non profit organization backing it and then having it adopted as a standard. I just don’t see that happening in the US where voter obstruction is part of at least one party’s strategy.
Open source doesn’t actually matter here. A closed source electronic system should work just as well. Why?
The way it should work is the machine should just print out a scantron AND a human legible copy (probably with a bar code linking the two). The person submits both by hand. You get early results by counting the scantron. Before certification, there is a statistically significant manual counting of the human legible ballots. For tighter races you recount all. The linked barcode lets you also statistically cross-validate in case there was a discrepancy between the machine readable copy printed and the hand ballot (you sample randomly).
Open source means absolutely 0 here. There are too many vectors of attack (eg physically compromising a machine, chain of custody, malware etc). Better to assume the machine is compromised and build a system that doesn’t care.
How does open source help? If I place a device in front of you and tell you it's open source, there is no guarantee that it is running what you can download from github.
It’s just that windows is quite a bit more complex and vulnerable compared to much simpler and security focused OSs like a BSD back then or maybe Alpine Linux these days.
That's the point of the system I described. Vulnerabilities of the automated system don't matter. You verify the manual result and the digital result are the same.
The issue is verification - how do you verify the elctronic count was accurate?
And if you're going to manually count it to verify the electronic count, then why have the electronic count in the first place?
A small, statistically representative sample of the paper ballots are counted by hand and compared against the electronic count. If discrepancy arises, a more thorough audit is performed.
Interesting, makes sense. Is this actually the recommended resolution process by the vendors as well or is this something that needs to be approved and adopted by each voting precinct?
Spot checks are good enough in such a case; if you manually count 1% of the votes and the margin of error is negligible, the electronic count is sound. If there's too many errors / differences, stop using the electronic counting and just count by hand.
This is what a lot of states get wrong, with the voting machine itself being the gateway to entering your vote and having it read. For the machines in my Georgia county, it prints a paper ballot that you drop it into a counting/scanner machine, but the issue is that the only thing on the paper is a QR code that is likely encrypted (nothing readable when scanned with a standard QR reader), so there really isn't a way to verify that the paper you got actually matched what you entered into the ballot machine.
The ideal system is: ballot machine entry -> prints paper ballot scantron style, so the only information the scanner will see is what you've verified is correct -> scanner reads it and enters it into their database while also saving the paper.
This is how it works in India: Once we click the button for a candidate, There will be light highlighting the selection on the voting machine. A printer that is connected to the voting machine prints the voted candidate symbol (and name?) and shows us the printed paper through a glass for a few seconds for verification and then drops it in.
Later during the counting procedure, random ballots are counted for both. If someone arises some issues about the voting, those are then counted using printed ballot papers.
I do not think so (my opinion, I may be wrong here).
Paper ballots (pen and paper) are susceptible to more rigging. Government officials can directly change the results by deliberately miscounting the results. It is seen in many countries where corruption is very high in the election commission. In these places, elected candidates, voters, 'pro-democracy' individuals advocate for electronic voting (Electronic Voting Machine, EVM.)
Recently, we saw the images and videos from the recent Belarus Lukashenk elections, where the officials just threw out paper ballots. In Pakistan, to curb voter fraud by paper ballots the previous Imran Khan (PTI) Government tried to install electronic voting equipments at locations particularly in rural areas where voter fraud was at a really high rate.
The ruling Government can use its state power to influence the outcome of elections. By pen and paper, the actual voting happens in a 'democratic way', but, the counting is left to individuals which will commit voter fraud.
Whereas, in electronic voting, 'Code Is Law, every single vote is counted properly. To curb the cons/disadvantages of electronic voting, which are
a.) The underlying code can be tweaked by the ruling government to give them an advantage in the counting.
b.) Voter fraud can be committed by abusing the actual hardware of the voting machine.
To solve this particular problem, the Election Commission of India (ECI) recently tried to bring some new changes. It majorly includes, having paper proof along with electronic proof called as VVPAT (Voter Verifiable Paper Audit Trail). The way it happens is:- When you cast your vote to a candidate 'C', the machine will print a slip with the proof of your vote to candiate 'C'.
So, if the opposition party alleges that voter fraud happened with the tampering of EVM, the election commission (or an independent third party, or the opposition candidate himself on his own) can then do a recount based on the VVPAT slips and cross-check the results per booth (per EVM).
> can directly change the results by deliberately miscounting the results
This is why in liberal democracies the process of casting and counting votes is usually done in the presence of at least representatives of the candidates running and more usually whoever wants to attend them
You'd need total complicity in every single polling station to cheat without raising alarms
In electronic/internet voting, unless there is a paper trail which can be counted in the same manner as manual voting, all you need is government officials to tweak the code/the hardware being used. Are you going to let every candidate audit every single machine independently? Unlikely since that is, in and of itself, a security risk
> where the officials just threw out paper ballots
And since they had to physically remove material evidence we were able to get videos of it happening. Plugging an USB while the machine is in the warehouse or in the middle of voting can be done a lot more discreetly
> counting is left to individuals which will commit voter fraud
Which is why counting is usually done with supervision
The system in India works, but it works because it reduces the entire process to a paper ballot. Ultimately the security guarantees of the Indian elections are identical to the security guarantees of the traditional paper ballot system
The digital component is limited to easing the logistics of getting the first results of the election in a timely manner
Which is about the extent to which you should trust electronic voting
You pointed the problems out yourself, but the compromise india gives is severely misguided: It leaves the possibility of the paper ballots not being counted. If the paper ballots aren't counted, you open yourself up to the possibility of both a) and b). If the paper ballots are always counted, Tom Scott had the very nice quote "Congratulations, you just invented the world's most expensive pencil."
There is no better way of voting than physical paper, but the running government has to be both determined to allow democratic elections and enforce its monopoly on violence to protect the voters and ballots.
True, it can be costly, I agree with it. But there is no other way to have fair elections where everyone beleives that the election which happened was fair itself.
In paper ballot voting, the election commision is gonna count the paper ballots one by one. It is gonna cost money. The same amount of money will be for EVM+VVPAT. (less actually, as paper counting will be less and reserved for candidates who want a recount).
Does having a paper trail generated exactly after voting help? This is the system that's followed in India. I tried to think of ways it could fail but it seemed pretty fool proof as far as I can think. I'm pretty sure I might have missed some corner case
If you're going to have a paper trail for an electronic system, then why not just use the paper system?
It's like there's a pro-electronic movement that's looking for every excuse to move to electronic...
Ok, so we go electronic.
We put in all these extra checks and balances to account for it's downsides.
It runs well.
People start questioning the need for the checks and balances, since it's so full-proof.
So we remove the checks and balances.
<anakin-fun-begins.gif>
<shocked-pikachu.gif>
For the people that complain about the staffing requirements for a paper-based election: it's a feature, not a bug. The sheer number of people involved make it virtually impossible to rig an election.
In India at least there is a lot of votes to manually count. Electronic just makes things smoother. As for people questioning the need I didn't hear anyone raising the during the last election I followed. Besides I'm pretty sure either the election commission of India or the various opposition parties will point out the problems with having just electronic vote records. As far as electronic voting with paper trail goes I see it as just a normal paper based voting system with an automated counting system that can be easily verified
> "For the people that complain about the staffing requirements for a paper-based election: it's a feature, not a bug. The sheer number of people involved make it virtually impossible to rig an election."
There are two ways to rig an election. The first is miscounting or changing votes but I think the other is the real risk and likely dates to the very first time we as a species ever started having votes by anonymous ballot: ballot stuffing. If, at any time in counting process, an individual could successfully insert a single valid but fabricated ballot into the process, the entire system is vulnerable.
And the number of votes required to change elections tends to be shockingly low. In the 2020 election, more than 155 million people voted, but the outcome of the presidential election itself was decided by a total of less than 43,000 votes [1]. That's a margin of victory of 0.03%. So a system that was 99.9% accurate at ensuring that each ballot was completely legitimate would be insufficient.
Here in Australia, ballots are (initially) counted at the place they were cast. Every ballot issued has a corresponding (but unlinkable) person on the roll (electors are crossed off the roll prior to a ballot being issued). The count of names crossed corresponds to the number of ballots issued which will correspond to the number of ballots counted at the end of the day. Virtually impossible to "insert" a ballot as then your final count would exceed ballots issued.
As the count is completed at the polling place, of which there are multiple per electorate, the total number of votes is substantially lower than 43,000 even, and so the % accuracy is much higher. No publicised figure (that I know of) for how many "missing" ballots there can be before questions are raised, but I suspect its in the single digit range. Ballots are generally counted a couple of times but, even more if there's any ballots missing.
> If, at any time in counting process, an individual could successfully insert a single valid but fabricated ballot into the process
This varies by jurisdiction obviously, but where I'm from the procedure for counting must be done in an area which the public can access and it begins with a single person taking ballots out of the box one by one and giving it to a chain of 2-3 other people.
This way you can count how many ballots were taken out of the box and check with the totals at the end
And obviously the box is always in the presence of observers from various stakeholders
> less than 43,000 votes
Unless you can predict where these tiny margins will manifest with perfect accuracy you'd need to add a lot more fake votes, or at least have thousands of conspirators ready to add them at a moment's notice, that's ridiculously hard to organize discreetly
I’d argue that gerrymandering is a far bigger issue than ballot stuffing. Its sole purpose is to ensure that elections go in favor of the party who draws the map. If that ain’t rigging an election, I don’t know what is.
One reason is efficiency, if you have the machines counting you get results faster and then you can audit only a random sample of machines records and get statistical guarantees of the election integrity. (The machine can't know before that it will be audited so if you test thousands of machines and find no discrepancy it's highly unlikely a significant portion of the others did cheat)
A second is that it allows one more level of trust. With a paper ballot you have to trust that the poll workers are going to notice/stop/not help ballot stuffing etc. In most cases that's a good enough guarantee, but with voting machines you can also trust the people who programmed audited it
If the poll workers are trustworthy, because of the paper trail, you don't have to trust the auditers of the machines, but if you don't trust the poll workers then you can gain a modicum of trust from the auditers
This link talks about the benefits in the indian election, specifically a software lock on the amount of votes per minute that can be cast
It also shows that in 2013 they audited "only" 20k machines out of almost millions yet found no discrepancy. Statistically that's probably good enough if the choice of machines audited was random
One last way it might be useful, though this is an abstract scenario, is if you want to deploy a more complicated to count voting system to large areas. In some voting systems counting can't be done in parallel, you need to do one round of counting, wait for everyone else and then do a second round and so on.
Similarly some voting systems might benefit from a digitized interface (for instance ballots in austria look like this: https://cdn1.vienna.at/2013/09/zettel.jpg and there are systems which would lead to even larger forms) which outputs a paper trail with only the actual information the voter inputed (in the case of the ballot I showed it'd pretty much just show a party name and a list of candidate names)
In these cases a machine outputting an auditable digital model of the votes cast would greatly simplify counting procedures. You could have every polling station just publish a signed file with the votes in their station and everyone could run the election algorithm
The votes can then be audited same as in the indian system
> The machine can't know before that it will be audited so if you test thousands of machines and find no discrepancy it's highly unlikely a significant portion of the others did cheat
> It also shows that in 2013 they audited "only" 20k machines out of almost millions yet found no discrepancy. Statistically that's probably good enough if the choice of machines audited was random
So how do you protect against the corrupt actor manipulating every machine except the percent that will be checked?
> With a paper ballot you have to trust that the poll workers are going to notice/stop/not help ballot stuffing etc
There's a simple and straight forward solution: Have people from opposing political parties count the vote and check each others result. If you have members of the far left, far right and everything in between sitting there, checking each others results, theres about a 0% chance any vote will be miscounted.
> In these cases a machine outputting an auditable digital model of the votes cast would greatly simplify counting procedures. You could have every polling station just publish a signed file with the votes in their station and everyone could run the election algorithm
There is no difference between a machine publishing the counted votes and the poll workers publishing the counted votes, is there?
India checks 5 machines randomly selected in each voting "segment", no clue what that is but it's smaller than a constituency so I guess it's a polling station
From what I understood that's done locally right away after polls close. So that means that you'd need a way for the conspirators to identify the non tampered machines and for them to randomly select exactly those machines and you'd need them to be present in almost all polling stations and no one to challenge the choice
At that point it's essentially the same level of trust needed for paper ballots
> Have people from opposing political parties count the vote and check each others result
Yeah, but apparently that particular attack vector was a problem in India and this feature helps mitigate it, electoral solutions need to account for the practical situation they're in. For instance I don't support any form of electronic voting machines in my polity because the electoral system works fine with paper ballots and there aren't issues of ballot stuffing
> There is no difference between a machine publishing the counted votes and the poll workers publishing the counted votes, is there?
Yeah, but I was talking, for lack of a better term, about non additive electoral systems, in which the information conveyed in multiple ballots cannot be easily compressed
For instance in the FPTP system you can compress all the information in a polling station by counting how many votes for X how many for Y etc. And you can simply add up these numbers to other stations
The complexity scales linearly with the number of candidates
In a system like, for instance, IRV, where the voter ranks the candidates and the rank is an important part of the ballot itself you can't easily transpose all this information into a single number
The most you could do is build a tree data structure where the first level nodes are the first preferences and each node points to other nodes based on the successive preferences.
In this case the complexity of the process is exponential/factorial because you need a field for every possible combination of preferences, including cases in which not all candidates are ranked
My point was that going from a ballot to that structure is probably more error prone and time consuming to do manually than having a machine do it and that could conceivably be a reasonable justification to use electronic voting machines
The auditing will still be time consuming but that's mitigated by the fact that you audit only a portion of voting machines
But to clarify, I'm of the opinion that paper ballots and manual counting are preferable in every electoral system used at the national level that I'm aware of
India's electronic system is just not worse than paper ballots, which for electronic voting systems is a huge success
I’ve always wondered they we’ll get the cyberpunk future we envisioned when people decide physical media is the sweet spot between paper/written representation and digital media. Like old cdrom style discs that can only possibly be write-once, and the provenance of the data on it depends on the physical presence of the media itself.
Not that I’m necessarily advocating for it. Just they seems like a plausible future.
For voting integrity, the vote that is saved needs to be human-readable (the voter should be able to make sure that the digital part of the machine didn't change their vote), so digital storage is right out.
Plus, even with some absolutely secure digital voting system, there's no way you could explain it to most people. A huge advantage of paper voting is that everyone can understand it works and how it can be attacked.
Otherwise it's going to be even easier to claim the system is rigged or foreign hackers manipulated the vote or whatever, to undermine trust.
There’s actually a pretty interesting approach in which: voters can see that their vote counted, everyone can tally anonymous votes, and it is resistant to DoS https://people.csail.mit.edu/rivest/pubs/RR14b.pdf
Of course, the real problem would be explaining to the general population that this works. Great in theory, but will never pan out
Big Ron can ask you to take a picture of the paper ballot as well, so regardless of mechanism you’re in a pretty sticky situation.
It’s not a perfect system, but I would personally find it comforting knowing that I could verify that my vote counted and that I could independently confirm the election results
Edit: haven’t read the paper in a while, but IIRC you can see that the vote counted without revealing details of who you voted for. They definitely would have covered this case
We would need some voting system where each person can verify that their vote was properly counted, something like this: secure end-to-end verifiable e-voting system
using zero knowledge based blockchain: https://eprint.iacr.org/2018/466.pdf
We should never consider any voting system that is not simple to the point of being almost-trivial. Anything even slightly more complex than necessary will lead to accusations of cheating which are enough to create massive instability - even when they are provably false. We see this even with the current election systems!
Since there's no simple way to explain 'blockchain' to non-tech people, any voting system using it is irrelevant - and will end up discarded like nearly all the other attempts invoking blockchain hype.
The zero-knowledge proof avoids true accusations of a particular type of cheating. However, the biggest problem is humans, not machines. An election system must be ELI5able, or we can expect a fair amount of instability regardless of truth.
Yeah, not like there's any sort of transparent way to audit a public chain of data blocks representing votes associated with an anonymous certificates that would allow end users (verified with registration cards and authorized with their mobile device biometrics) to check their votes were recorded correctly and for 3rd parties to easily audit the vote totals.
That's a problem that hasn't been solved at all by the current applications of cryptography.
Even if my computer gets hacked, as long as I can trivially search my "confirmation id" from another device to ensure it's what I cast, I'm going to see if it was or wasn't tampered with.
Having public records of votes on a per vote basis with multiple layers of cryptographic signatures at each stage of processing them would be a world of improvement over the current system, both client side and server side attacks considered.
Being able to easily validate what individual people voted for is exactly the opposite of what you want in a voting system, as it make vote buying/selling trivial. I suggest looking into the huge list of previous electoral fraud for all the different kind of attacks that need to be defended against: https://en.wikipedia.org/wiki/Electoral_fraud
Voter coercion and retaliation for voting 'the wrong way' is probably even more important than vote buying/selling.
A key feature of a secret ballot is that it must remove the ability for anyone to verify how you voted even with your cooperation (no matter if willing, coerced or bought) - you must have plausible deniability i.e. any reasonable "demonstration" to others how you voted must be possible even if you actually voted differently.
This argument never really made sense to me, because it's already completely undermined by mail in voting in which you can not only sell your vote but even have the guy you sold it to turn it in for you so he can be 100% certain he's getting what he wanted. You can even give him a 'blank check' by filling out your personal data/signature, and leave the vote slots blank for him.
And for context on the scale of this, in the 2020 election there were 65,642,049 mail-in-votes cast. And the outcome of the presidential election was decided by 42,921 votes. [1]
> it's already completely undermined by mail in voting
This keeps coming up but is not generally true. See my comment from another thread [0]:
I don't know how it's done in the USA, but in Germany voting by post has to be carried out before the day of the election. The actual postal votes are stored and only opened on the day of the election. After somebody send in their postal vote they can go to the public voting office and declare to invalidate their postal vote. The people counting the postal votes will get a list with invalidated votes and remove these envelopes before the votes are opened. The person who invalidated can then either do another postal vote or vote at the ballot box.
So in Germany postal voting is secured against selling votes.
> verified with registration cards and authorized with their mobile device biometrics
What does "verified" even mean here? At the end of the day, you need to convert it to some cryptographic key, and then that key is vulnerable to attack: either it's kept in the voting machine, in which case the machines themselves are a single point of failure, or else it's given to voters, in which case their insecure phones, computers, etc are easily compromised to get the keys.
Checking your votes doesn't help: a significant number of people do not vote. An attacker can submit votes on behalf of those people using their keys and noone will know, and even if you find someone who claimed that they didn't vote, how would you ever prove it either way?
The advantage of a physical system is that there is no single point of failure: changing the overall election result requires a physical presence at multiple polling locations. All electronic voting solutions are intrinsically worse in that respect.
these hacks can influence politicians after they've been voted in. If anything direct rigging of a vote is more transparent : people can notice if the vote goes against common sense.
