"American Elections Will Be Hacked" https://news.ycombinator.com/item?id=12921967
"Maryland will audit all votes cast in general election" https://news.ycombinator.com/item?id=12885396
"Cylance Discloses Voting Machine Vulnerability" https://news.ycombinator.com/item?id=12883356
"In Pennsylvania, Claims of a Rigged Election May Be Impossible to Disprove" https://news.ycombinator.com/item?id=12790247
"Votes could be counted as fractions instead of as whole numbers" https://news.ycombinator.com/item?id=12841178
"Demographics, Not Hacking, Explain The Election Results"
http://fivethirtyeight.com/features/demographics-not-hacking...
That aside, we should, of course, work on securing the vote.
I added these links here because the same points get hashed and rehashed in every thread, rather than building on the work that's already been done and figuring out what the next steps should be. (I admit that rehashing is a pet peeve of mine.)
As you note, securing the vote is important. A secure vote and trust in the election process is very important to a democracy, and something that continues to come up for a variety of reasons, and something that can easily be supported by anyone interested in democracy, regardless of party affiliation or political persuasion.
In the UK we turn up, go into the booth with the paper slip, and tick our choice with a pen. Then we fold it and post it into a container which later gets shipped off to the counting room. I just can't understand why you guys have to physically turn up if you are just going to select your answer on a computer anyway.
The american voting system is actually very secure.
It's highly decentralized, machines are not connected to the internet, implemented in many different ways, which means that they would have to do many attacks many different places without being discovered to even have an effect.
75% of them have paper trails which would require an even bigger achievement to change enough off as it's again highly distributed and decentralized, and it would require mostly physical presence to do it. And thats just a few of the things that makes this more or less impossible.
A bigger concern is access to the actual voter databases but what they can there there is mostly creating chaos which would obviously be horrible but have no effect on voting.
The biggest problem is actually when examples like these spread without the above consideration as that can trigger the population to loose faith in a system that is probably as safe as it has ever been.
P.S. I am highly supportive of whistleblowers like Snowden but this is missing the point.
Was YOUR vote counted? (feat. homomorphic encryption) - Numberphile : https://m.youtube.com/watch?v=BYRTvoZ3Rho
It's actually quite a good thing that we start to speak openly about threat-models against all voter sentiment measuring tools, especially the official ones.
There are different sets of issues with both categories of polls. If anything, I believe the issue is not a measurement issue as much as it is educating the public about what the different types of polls are, their limitations, and their usefulness.
Correction: Actual total was 126M votes for the presidential election not 160M votes as I stated. But the question remains.
The technology is there but I don't think there is any incentive to make it happen.
The only problem that I can see is that we cannot be certain that any e-voting technology will survive future information security research and as a result the design needs to factor continuous upgrades.
I can't believe we still rely on trust for this kind of thing.
How do you verify that your vote is actually "taken into account?"
You may be shown that your vote matches what you intended, but then it can be manipulated or discarded somewhere else in the process, beyond your ability to verify. It's like reading open source code without validating the operating system or physical machine it runs in - the entire environment contains the potential for hostility, and it's too complex for one person to comprehend in its entirety.
Also, any such system, assuming it works as intended, may also give interested third parties a way to spy on someone's voting habits. Historically, knowledge of a person's vote has been used by governments and employers to coerce votes and to retaliate against political opponents or supporters of unpopular causes.
Wikipedia page on End-to-End Auditable Voting Systems https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy....
Ron Rivest slide deck from March 2016. Auditability and Verifiability of Elections https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf
In California we were able to vote at home with a mail-in, paper ballot and I much prefer that.
This system just begs for being manipulated.
I guess you trust the mail service and the people on the receiving end to properly record your vote.
I prefer the day of (also in CA), where you get to put it into the counting machine yourself—at least then I know it was counted at my polling place.
I was listening to something specifically talking about California counting mail-in ballots. They said California took longer than most states because it's big, it has liberal laws about eligibility (counting provisional ballots) and citizens are pretty sloppy about filling in mail-in ballots. They described coffee and spaghetti stains obscuring the choice. They will fill out "clean" ballots in pairs with their best guess. I'm sure that's a small number of ballots.
When I've voted in person they deliberately have me feed my ballot into a machine to confirm it was valid.
It was a knee jerk reaction by Congress to the 2000 presidential election recounts in Florida. They passed a bill that funded the purchase of new voting machines called the Help America Vote Act[1]. It provided a fat pile of federal funds to states for the purpose of replacing voting equipment. Of course, throw a mountain of money in front of federal contractors, and several will rush out poorly designed systems quickly to claim the prize. Secure voting was the last thing on their minds. Diebold actually sued the state of Massachusetts for "wrongful purchase" of competitor systems.[2] Slashdot covered the fiasco generated by HAVA for years. Just search for Diebold or Sequoia in relation to their domain.[3]
[1] https://en.wikipedia.org/wiki/Help_America_Vote_Act
[2] https://yro.slashdot.org/story/07/03/26/1431258/diebold-sues...
[3] https://duckduckgo.com/html/?q=diebold%20site%3Aslashdot.org
One common scheme electronic voting machines help prevent is forced votes. A bad guy gets their hand on a single empty ballot and writes the name of the candidate he wants to win on it. He then comes to you and threatens you and your family. Says hand in this pre-filled ballot and bring me back your empty ballot, or else... You comply, he fills out the empty ballot again, and repeats.
The electronic voting machines protect your identity. They allow you to vote anonymously. They provide data integrity that is harder to spoof than paper voting methods. I explicitly asked why they don't just vote on paper ballots like they do in Canada (or the UK as you describe). His response was that we take for granted the inherit trust our societies have to allow us to vote in such a fashion without it being tampered.
Where I vote, my paper ballot in no way identifies me. I identify myself upon entering the polling station, they find my name on the list of registered voters and mark it. When I'm turning in my completed ballot, I again identify myself and my name is marked on a separate list. So there's a record that I voted but not for whom I voted. How would an electronic voting machine improve upon this?
BTW, where I vote, the paper ballots are the bubble scan kind and the voter feeds it to the machine themselves. This provides very fast tabulations with a paper record for security and recounts.
The problem I have with this particular scenario is that it imagines a reality in which someone can afford to collect votes one by one with impunity but can't force these same bunch of people (and one or two simply aren't enough to matter) at the voting station itself.
I don't know if this is the current case (or perhaps your scenario is one of the reasons for the current procedure), but they can just put a serial number on the stub so that the poll worker can verify that the ballot that was handed out was the one just filled out.
I am sure there are many reasons to prefer electronic voting, but that just seem logistically impossible when you are talking about millions of people. No way that wouldn't go unreported or undetected.
Whereas, with voting machines, if compromised has much more reach and would be difficult to detect.
I'm not saying this scenario is plausible for swaying the outcome of a presidential election (which is what I am sure is on many of your minds right now). But for locally elected officials? Seems at least plausible to me.
At the end of the day I imagine electronic voting is all about speed. A quick wiki search brings up the following anecdote:
> The voting system has been widely accepted, due in great part to the fact that it speeds up the vote count tremendously. In the 1989 presidential election between Fernando Collor de Mello and Luiz Inácio Lula da Silva, the vote count required nine days. In the 2002 general election, the count required less than 12 hours. In some smaller towns the election results are known minutes after the closing of the ballots.
Or, alternatively, spend tons of money on electronic voting machines that allow the bad guy to game the system on a more massive scale without having to threaten as many people.
I'd be willing to bet money that this scenario has never, ever happened.
I voted on paper and it was put in a box to be counted in a central location. This takes forever and they just now are finishing up counting.
Electronic voting is a lot quicker and cheaper to count. I'd argue that the best system is one in which you vote on paper but it's counted electronically at the polling booth. That way there's a paper trail that can be audited and also quick counting.
Our population is only 1/6th yours, IIRC, and you subdivide more heavily into states already.
That's how we do it around me, and it seems like a strictly superior approach. What am I missing?
https://www.theguardian.com/notesandqueries/query/0,,-1051,0...
Which is a shame, because it's a fairly effective way to push money back into the economy, at least when a manual system is used.
Second electronic machines are popular because they speed the election counting and are cheaper to run because the election board doesn't have to print tens to hundreds of thousands of ballots. A good electronic voting machine reports the vote 2 ways digitally to some vote tabulator local to that voting place and with a paper record that can be audited. The paper print out their having printed in this video is the end of the night tally that'll be reported to the county/state board of elections to be combined with the rest of the results.
Third doing it on a centrally located machine instead of over the internet adds a lot of security to the process. Trying to properly secure single purpose hardware like a voting machine that can be kept in a monitored location is a much simpler task than trying to find a way to ensure the Joe/Jane Voter's computer isn't compromised when sending the data to their counties board of elections. Not to mention that by accepting votes over the internet you're opening yourself up to everyone being able to remotely attempt to exploit the system. At least with a voting machine only connected to other election hardware attacks are limited to someone that's physically at the voting location. It's also tricky to prevent double voting while maintaining complete anonymity.
The only benefit is that you have a paper record that can be corroborated if there is evidence of hacking later. But we could do a printout paper record on voting machines too.
You'd be surprised how many of those paper ballots don't get recognized when they are counted. Because the checkmarks don't fill up the box enough or because of optical/scantron error.
In the UK's 2014 elections for the European Parliament, a Scottish voter wrote against the four parties/candidates listed: "wank"; "wank"; "good guy"; "wank".
The vote was deemed valid as the voter had expressed a clear preference.
(Source: https://twitter.com/JamieRoss7/status/473068708441894912/pho...)
There are pictures and a description here: http://www.bbc.com/news/election-2015-england-32533064
The difference is that the voting machine makes it possible to hack the paper trail.
You don't have to manipulate many votes to have an election-deciding effect.
Moreover, you have to ask; How could the Simon Bar Sinister have known prior to the election that these three states (and probably one or two counties in each state) would be the decisive counties to hack to manipulate votes and win the election? He can't.
Or modify the program loaded on the machines before they're distributed. It's probably easier than you think.
In extremely dishonest countries where the local courts, police, and election officials are all corrupt, a large mafia-style presence could coerce a lot of people into voting a certain way. But if any of these are at all trustworthy, it seems difficult to coerce anyone. And even then, the mafia abusing too many people(>5%) would cause them to riot.
The reality is, people have no choice.
That doesn't exist. See this[1] talk by Andrew Appel (CS Prof. at Princeton) for a very nice overview of the technology in the traditional pre-printed secret ballot and an why electronic/internet voting cannot be secured from all of the known threats.
TL;DR - Adding anything that can be used as an identifier enables vote buying or coercion. Adding computers introduces "Trusting Trust"-style problems where you never know what is actually running (hashing/verification only pushes the problem around).
The question is how (in)secure is the system. In this case, the voting protocol doesn't provide a means of verification.
Secure voting protocols have been around for quite a few years. jjuhl left this comment above https://news.ycombinator.com/item?id=13032602
Dan Boneh's Crypto 2 coursera course (https://www.coursera.org/learn/crypto2#) covers the concept.
There are voting protocols that use the same foundations as public-key crypto to allow for vote verifiability - you can validate that your vote has been taken into account in the tally without sacrificing the privacy of your vote. There are solutions for voter fraud too.
Consider the case, in the technology of proportional representation, of the Hagenbach-Bischoff quota: https://en.wikipedia.org/wiki/Hagenbach-Bischoff_quota
It's (it seems to me) obviously arithmetically unfit for purpose compared to the Droop quota. In some cases more candidates can meet the quota than seats are available. Yet it remains in use/part of the credible discussion.
As a starting point, you can review Rivest's slides for an overview.
Ron Rivest, "Auditability and Verifiability of Elections", March 2016. https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf
Edit to add: I see I've already suggested this to you earlier today.
^-- Fixed that for you.
But seriously, at some point, unless everyone sticks around to watch everyone else's votes being counted, there has to be some level of trust with the system. The only thing we can do better is to make vote counting machines' code open sourced and have the code signed with a trusted Public Key Infrastructure of some sort.
The paper system is very open source already. So open that even non-developers can understand it.
https://insajder.net/en/site/tema/794/
http://www.novinite.com/articles/120632/Bosnians+Name+Vote-B...
http://www.itv.com/news/wales/update/2015-05-08/angry-voter-...
Any system that can be abused, will be.
Yes, this doesn't fix every problem, but it does fix some problems that used to be common.
> So your concern seems strange.
Then I strongly suggest reading more about the history of voting methods and technology. (the talk in my other post has a nice overview)
We no longer have problems like offering whisky for votes or employers that threaten to fire anybody that doesn't vote a certain way (although occasionally they still try).
vote manipulation by the government the election is happening for isn't really something you can solve because in that case the election isn't the problem.
I am just theorizing here: Someone now takes the box of paper votes and runs it through the scanner machine. And passes this number along to someone. What is stopping them from tampering at this step? I think this is precisely what my co-worker was describing. There is an inherent trust that your paper ballot is scanned and recorded in a fashion that matches your vote.
An electronic voting machine could potentially communicate votes in real time over a secure connection. Or in the case of Brazil's machines, I believe stores it locally, encrypted, with a verifiable cryptographic signature of some sort.
I'm sure we all know the multitude of other attack vectors this introduces. I guess I am just not convinced that paper makes things more secure.
We designed a vote printer that would allow the voter to see a paper copy before storing it, but it was never used.
Given the number of comments you've made on this thread, it seems this is an area of interest to you. I encourage you to look though the previous HN discussions on this topic. Here's a list of some of those from the past month or so:
Doesn't scale is a concept that only developers and entrepreneurs understand. Sadly, that makes it an invalid argument for the other 98% of the population.
Of course. That's why it's important to reduce the attack surface. Adding electronics (or worse, software) adds a huge amount of attack surface. The attack could be at any point from the CPU-internals to the software.
> the voting protocol doesn't provide a means of verification
Yes. That's a feature. Any new system cannot re-enable voter coercion.
> Homomorphic encryption
I already mentioned[1] that video yesterday. It's an interesting idea, but even Prof. Rivest in the video isn't claiming it's ready for use.
More importantly, the reply by marten-de-vries[2] brings up a very good counter argument to any voting system based on fancy math: the general population won't accept it. The voting process doesn't work unless the population considers it legitimate, and it will be hard to convince them if they first have to learn enough math to understand homomorphic (or public-key) encryption.
This is still interesting research that may evolve into a new type of voting protocol in the future.
You're missing the point. The voting protocol is built in such a way that you can verify that your vote was cast as intended, and that your vote was counted in the tally. Once everyone agrees on the voting protocol you don't need to trust someone else's electronics, you can do it on your own device, and use open source software.
> the voting protocol doesn't provide a means of verification Yes. That's a feature. Any new system cannot re-enable voter coercion.
You can have vote verification without enabling coercion. If you have a vote receipt it does not imply you can prove or disprove how you voted, but it does allow you to verify that your vote was included in the tally.
> More importantly, the reply by marten-de-vries[2] brings up a very good counter argument to any voting system based on fancy math: the general population won't accept it. The voting process doesn't work unless the population considers it legitimate, and it will be hard to convince them if they first have to learn enough math to understand homomorphic (or public-key) encryption.
I disagree. The general population doesn't know how RSA or AES work but we have HTTPS and the green-lock-thingy. You don't need to know how or why something works in order to reap its benefits.
No, you're missing the point. You don't know that the crypto was calculated properly, because you are not going to be calculating the crypto by hand. Prove - in the voting booth - that someone hasn't changed the software to give you the wrong crypto token.
> If you have a vote receipt it does not imply you can prove or disprove how you voted, but it does allow you to verify that your vote was included in the tally.
Do you not see that this is is a contradiction? Someone coercing you simply demands that verification.
"Bring your verification receipt if you want to keep your job."
> HTTPS and the green-lock-thingy
TLS doesn't rely on the public understanding it for legitimacy. The public doesn't care about how it works; they care about if it's a reliable security feature. Legitimacy is lost if there are too many public failures.
Voting requires an understanding how the winner was decided. Your proposal will never be accepted if it is, in the eyes of the general public, a black box you submit your vote into that is only interpreted by a priesthood that they have to trust to interpret the votes. Adding up votes is understandable, but homomorphic encryption might as well be black magic.
This understanding is more important than ever, because we are currently experiencing a revolt against technocracy. Brexit and Trump are aspects of this revolt. If you think you can get the population to accept a voting protocol they don't understand, then you haven't been paying attention to the current political climate.
Paper ballots are not immune from such concerns. The concept of votes being added or removed from a count isn't a new phenomena. So the standard should be whether or not the electronic means are better, rather than them being a perfect counting method.
That depends where the person is. The people managing the process, those doing the counting, have plenty of opportunity for large manipulations. There are safeguards, but the possibility remains and must be accounted for.
IF vote = Clinton AND random <= small error limit not making cheating oblivious THEN vote = Trump;
line in the code?
What counts is not who votes, but who counts the votes.
Original in Russian:
Каменев. стараясь снизойти до уровня Сталина, говорит: "А вот по вопросу, как завоевать большинство в партии". - "Знаете, товарищи, - говорит Сталин, - что я думаю по этому поводу: я считаю, что совершенно неважно, кто и как будет в партии голосовать; но вот что чрезвычайно важно, это - кто и как будет считать голоса". Даже Каменев, который уже должен знать Сталина, выразительно откашливается.
На следующий день Сталин вызывает к себе в кабинет Назаретяна и долго с ним совещается. Назаретян выходит из кабинета довольно кислый. Но он человек послушный. В тот же день постановлением Оргбюро он назначен заведующим партийным отделом "Правды" и приступает к работе.
В "Правду" поступают отчеты о собраниях партийных организаций и результаты голосований, в особенности по Москве. Работа Назаретяна очень проста. На собрании такой-то ячейки за ЦК голосовало, скажем, 300 человек, против - 600; Назаретян переправляет: за ЦК - 600, против - 300. Так это и печатается в "Правде". И так по всем организациям. Конечно, ячейка, прочтя в "Правде" ложный отчет о результатах ее голосования, протестует, звонит в "Правду", добивается отдела партийной жизни. Назаретян вежливо отвечает, обещает немедленно проверить. По проверке оказывается, "что вы совершенно правы, произошла досадная ошибка, перепутали в типографии; знаете, они очень перегружены; редакция "Правды" приносит вам свои извинения; будет напечатано исправление". Каждая ячейка полагает, что это единичная ошибка, происшедшая только с ней, и не догадывается, что это происходит по большинству ячеек. Между тем постепенно создается общая картина, что ЦК начинает выигрывать по всей линии. Провинция становится осторожнее и начинает идти за Москвой, то есть за ЦК.
(Stalin faked election by printing reverted votes in «Pravda»).
How do you know if someone decided to throw away some of them?
(While also ensuring voters remain anonymous and allowing voters to verify their votes.)
The machine itself can keep count, or the cards could be designed for scantron-esque machine counting - regardless, in case of a disputed result, the cards can be counted the traditional way (by hand, with observers from each party present, etc).
Not my idea, BTW, but I don't recall where I read it - nor whether it was a description of something actually in use or merely a proposal.
Do you remember "hanging chads"?
But yeah, that's the crux of the idea: have a machine take the voter's choices, to effectively eliminate accidentally-spoiled ballots (the design of the "hanging chads" machines was sorely lacking on this point); but then have it produce a physical record, visually checked by the voter, to enable auditing & recounts.
Counting the hard copies would be the definitive source of truth, just like traditional paper ballots - any automated score-keeping would just be a bonus for early result reporting (although might also stand in for the manual count in "safe seats" where no-one cares to dispute the expected result).
Speed-wise, it only takes the machine about 1 second per ballot card.
Not to mention the additional level of confusion and potential for errors. All of this so you can buy two machines from two different vendors who might, in the end, still have ties via investors.
With a paper vote, you place trust in those who collect, store and, count, and you can always recount if needed. With electronic voting you place that trust in those that produce the hardware and software.
[1] http://www.bbc.co.uk/news/uk-england-london-32428648
Was this guy https://en.wikipedia.org/wiki/Lutfur_Rahman_(politician)#Fal...
Is it just me or does this sentence not make sense?
That way being "walking around money" in the sense of mingling with wealthy people at expensive events funded by other wealthy people in an attempt gain favor (and votes) from the people who can afford those events.
I think it's being purposely dramatic, but the English (kind of) adds up.
Wisconsin was not considered to be a battleground state. HRC didn't even campaign in the state after the convention.
Of course, although it's not possible to earn an election purely by fraud, it could still alter it.
[1] http://www.nytimes.com/interactive/2016/11/09/us/elections/s...
Have the checker mark the holes it detects with red ink or something, to make it clear to the user that the system detects their votes properly, and to provide a fallback. In the event another machine fails to count it, the user's intent is double-marked.
And then have the same style of vote-counting, where people manually scrutinize the votes, and have each party's representatives slide the votes into their counting machine. If the machines lose sync, you stop and figure it out at the point of the specific vote that fails to scan.
You have a number of differently affiliated persons watching the proceedings, and having at the end a rough idea of the number of votes that were returned per polling station. Then (with some coordination that should be trivial for the smallest of political parties) those results can be independently reckoned and compared back to the official totals. Any irregularities should be quite obvious. Recounts are probably the Achilles heel of paper ballots, as you need a way to verify that they were not tampered with in the meantime
Compare to voting machines: "Just trust us. You need to have deep domain knowledge in several fields before you can even start to evaluate our trustworthiness (software, hardware, security, etc)... so just trust us. No, you can't examine the machines."
Easy. Serial numbers. Like any other anonymous system (paper money, raffle tickets etc) you assign a number to every valid ballot. Should the same number appear twice, or not appear, then you know something fishy is happening. Any extra fake ballots should be discovered, so long as the originals are not removed from the systems. Throw the numbers around randomly and creating undetectable fakes become very difficult.
You already have a log of who showed up to vote. Compare the number of shows S with the number of ballots V which must be <= S due to poorly marked/unreadable ballots. Simple.
Edit: and this all statistically correlates with exit polls. It's very, very hard to fake all three of these in order to rig an election.
https://en.wikipedia.org/wiki/Australian_Senate_special_elec...
Which is why it's important to fix this earlier rather than later.
If it's your goal to cast more FUD on the issue, that's your choice. I can't even ask to you be honest about it because that wouldn't be congruent with spreading FUD.