This sounds great: paper trail, no chance of "hanging chads" or bad handwriting, verifiable by the voter at the moment before scanning and hand-countable if necessary.
I do agree that the paper trail is a great thing. I'm not fundamentally against electronic voting, but I haven't heard of a system that can really compete with the simplicity and verifiability of the immutablility you get from paper ballots inside ballot boxes being watched over by interested parties on all sides.
And I like it. The simpler the design, the better. Sometimes it takes a billion dollars and a couple of smart researchers to invent the "obvious" solution to a problem.
We've got butterfly ballots, confusing electronics-only machines, and a variety of bad standards as the basis of our current voting infrastructure. Telling everybody to use a damn PDF + printer would be a gross improvement.
Give America an idea, and SOMEONE in America will royally screw it up. Its a big country filled with lots of smart people, but also filled with lots of dumb people.
DARPA is working to come up with the standard that the whole country should follow. That's good and useful research. Even if it comes out to be the obvious solution (a paper ballot off of a damn printer), there's benefit to one of the major research institutions of this country telling the rest of the country how things should be done.
They were particularly badly arranged punch card ballots; the solutions to both the bad arrangement (“don't do that, like most people didn't do previously”) and the punch card (”use optical scan”) related problems are not only well known but pretty widely adopted.
More specifically - it's a big country with a fantastic amount of decentralization. Elections are run and ballots are designed not, by national governments, not by state governments, but by county governments. The chance that someone will mess up is a lot higher.
(Of course, this does have the advantage that centralized tampering with the ballot is harder.)
I've always wondered why nobody suggests doing that in the US to help prevent or ease people's concerns about potential voter fraud. It's simple, low-tech, and hard to screw up.
Unless if I'm missing something, which of course is possible. Can someone tell me what the downsides are to an idea like that?
I have been informed by social scientists that requiring voter ID is racist, so it seems that fingerprint checks would also be racist via the same logic.
I don't think that's dismissive at all. That's what it is, and it sounds good to me. Basically the computer is a scribe with perfect handwriting that fills out the paper ballot for the voter while the voter watches. Absolutely any voter is qualified to assert whether the ballot contains the votes they intended to cast.
From there, you could have the voter carry the ballot and drop it in a box that's being observed by any number of interested parties, providing old-fashioned accountability. Counting by scanner is an optional time saver, with hand counts as the alternative / double-check.
1. You cannot know whether the device leaks your vote, i.e., whether your vote is secret. Mind you that in addition to an attack inside the device, this can also happen via simple electromagnetic side channels inherent in the device--as has been demonstrated quite a while ago for Nedap voting computers by the dutch campaign against voting computers, where you could distinguish selected candicates by tuning an AM radio to the right frequency.
2. When the device malfunctions, whether due to a defect or sabotage, and only particular candidates can not be selected, that creates a side channel where the voter is effectively forced to unveil who they want to vote for.
Neither of those failure modes exist with paper ballots.
Paper ballots stop secret cameras in the ballot room? I mean, they really don't. It depends on your threat-model. A lot of things will come down to trust.
> 2. When the device malfunctions, whether due to a defect or sabotage, and only particular candidates can not be selected, that creates a side channel where the voter is effectively forced to unveil who they want to vote for.
See Butterfly ballots. Paper ballots in USA (Florida specifically) which basically had this flaw. It was confusing to know which circles and lines were going to the correct candidate you wished to vote for. Asking for help on the ballot would leak information on who you wanted to vote for.
A poorly done paper-ballot has its own set of issues.
And neither do touchscreens. Paper is better if it's not done comically wrong.
And even the worst paper ballots have a much smaller attack surface for plain old analog rumors than the best possible electronic system. The most powerful way to undermine a democracy is not flipping some votes to one candidate in perfect secrecy, it's making all candidates/camps believe that the other did. This could destroy a democracy even without a single vote having actually been tampered with.
Electronic voting, only understood by experts, is perfect soil for such rumors and no amount of open sourcing can change that. The many human counters involved in a hierarchical paper vote counting scheme are not just an unfortunate inefficiency left over from a time when machines could not count yet, they also serve as witnesses, not only for keeping their peers in check but also for dampening any unfounded rumors that might come up. They increase trust even when they are not actively speaking up against rumors, just by being there, in numbers, as passive dampening elements like the moderator rods in a fission plant.
Ballot rooms are just about as decentralised and non-standard as it's possible to get your head around. Voting machines are the exact opposite.
Are we actually discussing that someone could or would roll out a (nationwide?) network of hidden cameras across church halls, schools, and other places where people go to cast paper ballots. Undetected?
Distributing compromised software - or designing your attack into the hardware - for voting machines would be child's play by comparison.
The electronic voting machine never is granted your identity. But I'll grant it's possible that records of the voter identity with the ballot identity exist and could be used to map the voter's vote.
In MN, we use paper ballots with Scantron readers for excellent results. I'm not sure what problem this new system is supposed to solve that the Scantron model doesn't.
My preference is for plenty of machines available to fill out paper ballots, but give voters the option of filling out by hand.
After a vote we get to watch the news go from counting station to station to announce the results.
There are usually a few recounts etc but it rarely takes longer than a day or two and tbh which is more important done right or fast?
If you live in a place like I do, we’re a one party place where primary elections are the real elections, and you don’t have the competitive pressures that are inherent to a multi-party contest.
We also had a huge upsurge in “write in” votes, as the paper forms are difficult to interpret.
So ballot marking technologies have marginal utility. Expensive fix for a non-problem.
For complying with HAVA mandated accessibility, the Automark is slightly less bad than the others. The only solution which actually fulfilled all the requirements and was preferred by the disabled community is a non-electronic protective ballot sleeve called the Vote-PAD. Alas, it hasn't been available for quite some time. Being cost effective, meaning less pork, it didn't have any champions.
Fortunately, a new ballot marker, twenty years too late, doesn't help with the increasingly fashionable postal balloting, so there's no danger this latest noble effort will have any benefit.
I don't think you're being dismissive enough, it's an expensive pencil and paper.
If you have to fill something out by hand, it makes it hard to do this.
People consistently overestimate the reliability of that solution, especially for older voters with mobility challenges. Pushbuttons or levers that demand macroscopic elbow/shoulder motion are easier for that demographic to use than sensitive screens requiring fine motor control.
And that's all to say nothing of what happens when the screens become miscalibrated and accept taps a few pixels off. I'm fairly confident most of the "It switched my vote" reports we hear are actually this category of "user-error" (which should really be counted as "machine malfunction").
In general, getting elderly people, low-income populations and other late adopters of technology to use touchscreens correctly has been much easier than getting people to use a mouse. The mouse is less physically intuitive than "poke the thing you want." For most of us, though, we hardly notice a difference.
- since there's only one screen, and it's all touchscreen, users get consistently confused between pictures of buttons describing what the buttons do and the buttons themselves
- the touchscreen is itself a peripheral and prone to wearing out. When it does, the fact it's wearing out is difficult to observe during the election day; there's no cursor indicator, so a poll worker can't check calibration.
- users with fine-motor-coordination issues have to brace against the box to steady themselves to touch the tiny targets they want. There's nowhere to brace against a touchscreen that isn't also touch-sensitive input, and the screens don't accept multi-touch.
A row of buttons along each side of the screen, not unlike the solution used at many ATMs, would ameliorate all these problems. These boxes are already custom hardware jobs, so switching out touchscreens for a couple of button banks would be cheaper, equally usable for most voters, and more usable for mobility-impaired voters. It would improve all three observed problems.
Wishes and horses though; the machines we have are the ones we use.
What we saw in 2016 was that even if a candidate were to contest a result, none of the election committees were willing to commit to a full hand recount; instead, the only options were to retabulate through the very same tabulation processes and machines that had produced the questionable results in the first place.
Without low barrier to recount by hand, the electronic systems production of paper trails is worthless. Arguably worse than worthless, because it leaves everyone thinking there is a usable backup, when there isn't.
The best example of this is a Risk Limiting Audit (RLA). You only have to re-count a smaller number of ballots until the overwhelming probability is that the vote is confirmed, or that the vote is rejected. Depending on the disparity between the ballot options, this count can actually be very small.
This system is perfect for this kind of an audit -- essentially a ballot marking device written by an organization known for formal verification.
I'll read the paper you linked, but know that it's contrary to the received wisdom, and I'm very skeptical of any claims that auditing elections are feasible or worthwhile. By audit, I mean anything short of a full manual recount.
Okay. I lightly read that paper.
First, it specifically says to only audit the VVPR, meaning the actual ballots, not the VVPAT, which is just what the computer says it recorded. So there might be some miscommunication. I assumed #bdamm was referring to the VVPAT.
Second, the meat of the paper is refinements for calculating the confidence that the official result is correct based on recounting a sample. All of the caveats with audits, not within the scope of this paper, remain the same.
Colorado successfully performed an RLA, and didn't have to recount every ballot. If you really want to read more, Free and Fair (IIRC, the same group bidding on the DARPA grant) has open source software and instructions on how to perform RLAs: https://github.com/FreeAndFair/ColoradoRLA
I don't see how any system can work if nobody is willing to double-check it.
Frankly the cost of elections doesn't seem to be a serious problem for any government. They're choosing to fix some roads instead of boosting the quality of elections. Frankly I'll take the election over potholes or whatever else the government is spending money on, because if I can't trust the election, I can't trust the government.
In the USA, federal, state, and local contests are all on the same ballot. Where I live, general election ballots have 30+ items.
For manual counting to be feasible, we'd have to split into separate ballots.
Of all the people I've spoken with over the years, there's been no objections to this. But it is a big change and there's been no advocacy.
"We want you to vote for Jim Totes-Legitimate for President. But so that we can recognize your ballot paper and we can verify that you voted for him and we don't have to break your kneecaps, please also mark your other ballot races as follows: Fred Also-Ran for First Assistant Flangedoodle, Sheila Plausible for Second Assistant Flangedoodle, Hazel Placeholder for Junior Hog Counsellor."
Not hard if you've got 10 or so multi-way contests or 20 or so ballot measures.
Similarly, with postal balloting (vote by mail), your ballot is batched (upon receipt), so will be mixed with ballots from other precincts, therefore more easily tied back to its voter.
Best as I can tell, the only thing determined from the audit was that the machines still powered on and the printers worked.
That seems backwards. Touch screens suck. Why not build a validation machine that voters can feed manually-completed optical scan ballots into, before they go to the tabulator? Clear feedback would help catch incorrectly filled out votes before they're cast, no touch screen required.
The validation machine could have a very clear and user-friendly display, which candidate pictures are large type. That would definitely be easier to verify than a computer-generated optical scan ballot.
That's precisely how poll-based opscans work.
Central count (for postal ballots processing) is necessarily different, because that sanity check cannot be done, so voter intent must be adjudicated when ballots (or individual votes) are unreadable. It's a sausage factory.
I know, we have them in my district, but they don't do all the validation I was talking about. I think all that the current machines do is validate that there were no overvotes, etc. I was proposing a separate machine that would let the voter validate that the ballot would be read as they intended.
Although I would favor a screen with physical buttons next to it (not like the garbage you see on ATMs and gas pumps though)
What don't you like about these buttons? As mentioned elsewhere in the comments, this is a proved design that works well for a great number of people. Plus, the elderly / tech averse are likely to already know how it works.
Does this system address that concern?
I guess the devil is always in the details. "freely adopt and customize" to me says that the code will not be verifiable or open source anymore? Or that the implementation could be flawed. Open sourcing the code, and then letting commercial entities change it, cut corners, make money, etc seems to be a good way to ensure that all the hard work that went into designing the system is rapidly compromised.
Edit: I recall the US having to withdraw from the Human Genome Project because of this as soon as a private enterprise claimed it as a field of business.
In some other countries they mail you a postcard with how much taxes you owe, but if you have deductions they didn't know about you have to correct it... They wanted to a similar system here but the major companies like Intuit and H&R Block lobbied agaisnt it...
Adam's Ruins everything talked about this https://youtu.be/Fj4anUL-LvY
guess that about sums it up. it's DARPA after all folks..
I know DARPA is military, but they contribute so much to general research that its kinda normal to use their stuff.
I would take an open source and peer reviewed voting system that was originated by the NSA and CIA and every other spook organization over one that was closed-source and hand-coded by Larry Lessig or whomever is your favorite person of integrity.
What's wrong with electronic ballots? If we can have a secure and audit-able banking system (and every other aspect of our lifes), surely we can have the same for voting?
There's one major requirement in voting systems that throws a huge wrench in everything, anonymity. In order to prevent vote buying and coercion voters can't be tied to specific votes. So any system that allows a person to check that their vote got counted for their candidate isn't workable because that violates the anonymity requirement.
There's a million reasons that votes change as they're counted and recounted. For one in some states absentee ballots can be postmarked up to the day of the election so they can trickle in for a while after the day of. Another is machine breakdowns and just mistakes as the complete numbers are gathered.
There are several other major problems with their system , but I think they should at least get credit for their approach.
First of all, you can't observe the counting project, and now if somebody want to mess with the results, it becomes super easy to do so.
Electronic voting is a great opportunity for dictatorship.
And we know they do, because it's trivial to observe. Without paper it would be totally opaque, you would just have a raw number and nothing else.
The US requires that once you leave the polling station you must not be able to prove to anyone how you voted.
1. Assume that there are enough high-powered actors to want to rig an election
2. Note that confirmed case of a rigged election happens through paper absentee ballots
3. Note that there are very few known cases of a rigged election happening through electronic voting machines.
4. One probable conclusion is that election rigging is possible and undetectable through electronic voting machines.
That's a big part of the advantage of paper ballots. The cost of subversion is high because more people need to be in on any conspiracy to subvert the system. More conspirators means more and more incentive to defect against co-conspirators.
Electronic systems do not scale subversion cost with electorate size. But they do scale the payoff of subversion.
People who work with computers understand their limitations. But the average person on the street doesn't seem to see them the same way. They think computers equal modernization equal reliability. True or not, if you want to voting system to be a political reality, you'd have to change public opinion, and we've spent more than a decade trying to but haven't gotten that done.
To play devil's advocate...
Paper is just a medium. With apologies to Claude Shannon, critical properties of information are best ensured through secure protocols, not by picking a particular medium.
E.g., if the property you want is security, encryption is more provably secure than invisible ink. The properly encrypted message can be stored on paper, radio, magnets, or neurons, it doesn't matter.
The properties we want from ballots are somewhat uncommon and therefore very unintuitive. They are still properties of information. Availability and deniability simultaneously? (So you can personally confirm, but never provably sell your vote).
We could design a cryptographic protocol to meet those unique design goals. But not using paper alone, because the math would be too hard.
Paper appears to guarantee availability and privacy, just as invisible ink appears to guarantee security. In practice, each often fall short. Ballot boxes disappear. Absentee ballots travel through the postal system, which is a bit like blasting one unencrypted UDP packet and hoping for the best. No individual can take their paper ballot and later confirm how it was counted.
You could do these things with electrons though. It would require some fast math, like almost all useful protocols in information theory.
The swiss Post organized recently a public review (with awards to identify bugs - see another older thread on HN) for the software that they'll try to launch.
On one hand the swiss Post's solution would allow me to actively check if my vote was part of the total, which I think is absolutely fantastic.
On the other hand I did access the source repository of the new potential voting system <with sparkling eyes expecting something "special"> but I didn't even start digging into it as soon as I saw that it was written in Java.
I thought that such a software, which is the foundation to the future of a nation (voting system), would have as its foundation 1) a language that leaves very little room for technical and functional bugs (e.g. something used in the aerospace industry?), 2) would be structured using an extremely well-known-for-its-reliability workflow-engine and 3) was submitted to testing covering basically ALL possible combinations at ALL levels (not just e.g. "10000 cycles of randomness" but all possible input-values, for all layers).
When I saw that it was written in Java (nothing against Java - same thing for e.g. C/C++) I immediately gave up because, even if that SW is made to be absolutely unhackable >>now<<, this won't be true anymore starting from the next releases as the $ and "attention" will inevitably be reduced more and more and the whole tower will start to crumble.
Summarized: I'd like such a system, but I would need it to implemented in an extremely strict way that is able to survive times of low budgets and/or bad employees and/or bad management and/or of course corruption, which is when coincidentally a stable solution would be needed the most.
I usually (have to) choose between dark- or light-grey when I vote, but in this case, to replace the current system, it's one of the rare occasions for which I would need a "pure white" solution :)
Paper ballot operational complexity scales linearly with the size of the electorate, which makes them adequately scalable for any practical use. (There's maybe an issue with using paper ballots for some esoteric election methods, because of how operational complexity scales with number of candidates for some type of tallying, but absent a decision that use of one of those methods is desirable that's immaterial.)
Australia holds elections this way and has done so for a century. Scaling has not been an issue. Neither has transparency.
Repudiation, verification etc..
I suggest this technology is part of a 'pro democracy' agenda, as opposed to some kind of existential need within the US.
The tech might ostensibly be destined for S. America, Africa and parts of Asia.
The opposite is true, for example Russian government is actively pushing for electronic voting at the moment. No more videos like this , only the number "your dictator got 70% of people's votes"
Paper voting isn't perfect.
> We will show a methodology that could be used by others to build a voting system that is completely secure.
This really feels like a Proof-of-concept or reference architecture, at best.
I think that's DARPA's primary mission, though, isn't it?
I get this same feeling from posts that say "Product X written in language Y". While I agree that there exists a right programming language for a given task, it is not in itself a reason to use product X.
Having asked it dozens of times, I’ve come to the conclusion that I don’t trust anyone to build a voting system. I like it as a question tho, since it’s open ended enough to really let the candidate focus on the domains interesting to them; scalability, security, data modeling, whatever they want really.
Do you apply the same test to cryptographic algorithms?
It might still go nowhere, but I expect there will be very interesting developments as a result of it.
And, even so, the losing parties ALWAYS claim there's been some fraud, and a significant part of their respective voters buy such discourse.
There's been turnover of power pretty regularly in most parts, and even this doesn't stop folks of accusing electoral fraud.
Last year, thanks Whatsapp, the debate's gained special contours. Lots of malicious people shared videos showing fake frauds, which were dismissed after some hours.
There's been also lots of stupid people mistyping into the ballot and screaming around with a camera accusing a fraud.
It was a bit of a mess and things tend to get serious in very tight scores, since there won't be a safe, auditable way of recounting the votes without having to fully believe in the government agency responsible for operating the system.
The system makes the process extremely efficient. We are 100 million voters, voting is mandatory, and we always know the winners within a couple of hours past the end of the voting process. But..
What we may learn from this, a) there's no perfect system involving software, b) if we do not want to invest as much in democracy as we do in shuffling around a few people by aviation, how may we be worth it? Anyway, voting methods shouldn't be about cost reduction.
Regarding Xerox scanner compression issues, compare this great CCC-talk by David Kriesel, "Traue keinem Scan, den du nicht selbst gefälscht hast"  – Sorry, German only.
(Didn't MS's PDF-viewer have similar issues?)
As long as the voter remembers their password, they can look up their record, and the record can be a fully public record with anominity.
Voting systems should provide confidence to voters that votes are counted correctly, but not permit anyone, including the voters themselves, to learn how they voted after the ballot is cast.
"Voting systems should [...] not permit anyone, including the voters themselves, to learn how they voted" What could possibly be the benefit of that?
By only allowing you alone into the voting booth, not allowing you to show your ballot to anyone, collecting the ballots in a sealed ballot box that's located in public that anonymizes the votes
> Even if votes aren't all logged, you can still be tortured for the answer.
No, you can't if there is no way for you to prove how you voted.
> I would much rather the country have an individual coercion problem than a mass voting fraud problem.
Why would one have anything to do with the other?
Also, one way to keep a country free from individual coercion problems is by having a reliable election process.
If there is no possible way for you or me to know (edit: prove) if I'm telling the truth, how is that worth your time and energy? It's not.
The benefit of a secret ballot is that it greatly reduces, if not removes, the incentive for coercion.
A durable record that maps votes to voters does not prevent voter fraud, it enables it.
1. Mobster goes in to vote but doesn't put it in the box - he takes the blank ballot paper outside with him.
2. He fills the vote on the ballot and gives it to the coerced voter 1. He expects a blank ballot back, or else. He has his goons watching the voter throw the real ballot in the box, or else.
3. Using the new blank ballot he goes to coerced voter 2, and the cycle continues.
Of course this is hard to scale.
- Key: Encrypted SSN
- Value: Unencrypted Vote
Coercion could be a problem but with enough humans seems unlikely to be effective without the details of the conspiring entity to leak. If here are 10 jurors or a few judges coercion matters because it is easy to cover up. Coercion at scale has never occurred. Coercing any double digit percentage of 300 MM voters through violence or bribes or etc will leak based on the law of large numbers. Conspiracies stop being theories when they are validated by thousands/millions of people.
Social pressure is a bit trickier. It does force any minority voice to reconsider their vote. However, this isn’t different from most of history where a violent or non-violent revolution occurs. Most people lie about their opinion officially but build consensus privately. Until a point where the scale tips and both opinions are appropriate and debatable.
Retaliation is the biggest issue. But we already have some pretty good laws in place around discrimination based on politics. We can improve those, but also as a society we need to get better at debate without retaliation and hiding opinions doesn’t help that societal improvement.
It was made secret because all the problems you say aren't important, were very important.
I've been around too many women in abusive relationships to feel comfortable with that approach.
Voters don't need to be able to verify their vote post-election because a) they cast their ballot, so they can just remember who they voted for, and b) they can't change their decision, so there is no need to have a record of it.
Force them to vote by mail, watch them fill out the ballot (or fill it out for them), and mail it in.
You basically need to hold someone hostage or under total surveillance from when the ballot is mailed to when the polls are closed to avoid them just sending in their actual ballot afterwards.
With an electronic voting system the window of time you have to hold someone hostage is much shorter - simply force their vote an hour before the polls close and then hold them prisoner for the hour.
It means that you before the voting date go to a public office, a consulate in a foreign country, etc., show you ID, go into a voting booth and votes, and they put you vote into an envelope, that is sealed and mailed to voting place.
Or that two appointed volunteers goes to e.g., a assisted living facility and witness residents voting and placing their vote in a envelope that is then sealed and mailed to a voting place.
I’m not saying fraud is rampant, but there’s no denying the fact that on the individual level fraud and coercion are much easier to achieve when voting is done outside the polling booth.
I can promise you money (or threaten you with violence) to vote a certain way, but you can't follow me into the booth, and no matter how you make me "verify" I can always change the vote between verification and depositing it in the box.
If there is a way to verify after, then I can withhold payment until you verify your vote, or hurt you after I've seen your vote isn't what I wanted. By not allowing after the fact verification, it means that can't happen, and greatly reduces coerced votes.
So as cool as it would be to verify my vote after the fact, it has too many unintended consequences.
A simple example would be assigning a random color to each option per person. So blue means Trump for you. Hilary for someone else.
You only need to get people into a booth once, to learn which color is which option.
From there on in, verification is as simple as looking at the color to make sure it's correct. No one else can be sure what the color means.
Same principle can be done on multiple votes, though information will leak. So if you're coerced more than once you'd need to regenerate your colors. So while this solution stops the 'violence' coercion it won't stop 'sale' coercion.
Also the other problem is people will write their colors down or forget them - which is why as you say verification after the fact causes way too many problems.
It sounds like the new system has this feature, and also another key feature of Scantegrity which is that the tallying can be done publicly and independently verified. From the article:
> The optical-scan system will print a receipt with a cryptographic representation of the voter’s choices. After the election, the cryptographic values for all ballots will be published on a web site, where voters can verify that their ballot and votes are among them.
> “That receipt does not permit you to prove anything about how you voted, but does permit you to prove that the system accurately captured your intent and your vote is in the final tally,” Kiniry said.
> Members of the public will also be able to use the cryptographic values to independently tally the votes to verify the election results so that tabulating the votes isn't a closed process solely in the hands of election officials.
> “Any organization [interested in verifying the election results] that hires a moderately smart software engineer [can] write their own tabulator,” Kiniry said. “We fully expect that Common Cause, League of Women Voters and the [political parties] will all have their own tabulators and verifiers.”
Anyone in later time zones will be less incentivized to vote if they can see the results of all the votes that came before them.
IMHO even exit polling should be outlawed. This day-long televised circus during elections is really damaging to democracy...
When you vote there would be a record of the registration Id voted for this particular election id. Information that you voted is already available... so this component is not a change to the system really.
It's an extremely important and useful concept, and should form the basis of the first question (or one of the first) asked of any voting system provider.
It's open source and it's actually got a sound philosophy behind it. It's near completion and hopefully it'll change the way we vote globally (not just in Aus)
This amazing talk by Ben Adida is really relevant. He has worked on solving voting for a long time now and does a great job here of breaking down some of the salient parts of the problem.
Deployment requires mailing ballots out and having places where people can come in to fill them out.
10 million dollars please.
Helpers? What do you pay them? Can they understand that dialect of that obscure language? Do you trust them not to lie about what they’re marking on the ballot for someone?
The truth is electronic voting machines have upsides. Having the system fill out the ballot which the voter then hands in seems like an almost ideal use to me. It’s totally verifiable but can help many people who wouldn’t be able to vote without help.
Do we really think that a large conspiracy of translators for obscure languages is a viable attack?
If you're going to get the physical ballot anyway what's the point?
If the authorities try to tamper with the central copy of the voting data, it will be checked by the multiple copies owned by the general public.
I think that's the general idea one should pursue. Not "secure hardware".
DARPA Is Building a $10M, Open-Source Voting System
 - https://js1k.com/
Yes, for thousands of years. The result is called the paper ballot.
You cannot have a verifiable anti-tampering voting system using computers. You need verifiability by the general public. Auditing a microchip is not something members of the general public know how to do, and in any case, it detroys the chip, so it's kinda useless anyway.
Or do you mean hand written ballots? Does anyone still use those?
And yeah, the digital ones have been hacked at DefCon by children. (their parents taught them how to hack the devices, so I guess that is cheating)
Maybe throw in some Blockchain or did I use a BS Bingo term?
Also, while the guidelines say it has to be a cross, it could be any clear mark (though best not to risk it), as soneone drew a rude symbol in a square and it was counted as a vote! (https://www.bbc.co.uk/news/magazine-32693485)
Yes. The constitutional court of Germany ruled that electronic voting is essentially illegal in Germany due to all the inherent flaws, so all elections are done with pen and paper, ballot boxes, and manual counting.
Most of the world's leading democracies.
The USA is actually the outlier.
As for secure, if it's connected to the internet, then it's always going to be a target.
It seems to me, that - if voting integrity is priority #1 - a return to traditional analogue voting should be given strong consideration.
Probably won't happen though, as it would seriously shake up politics as we know it.
This sounds like they are using homomorphic encryption?
This sounds like it means it's no longer a secret vote and voters can be bribed or blackmailed to vote a particular way.
Skinware writes the software.
(Is "skinware" the new "wetware?")
In places where elections are fabricated, this might help quite a lot.
It won't make a difference in well functioning countries.
Since whoever controls or hacks the machines gets to set the vote counts, the audit only happens if they want it to.
 - https://www.sos.ca.gov/elections/voting-systems/oversight/co...
Your electronic voting machine could completely tell you the truth about every ballot you ask it about, but lie about the total.
That's all assuming the voting machine is actually running the software/hardware they tell you - how would a voter check?
The article briefly mentions "That receipt does not permit you to prove anything about how you voted, but does permit you to prove that the system accurately captured your intent and your vote is in the final tally,". But if that receipt doesn't let you prove anything about how you voted, how can you tell from it that your vote was captured 'correctly'? The machine can print anything on the receipt!
Then there is the question - what problem is e-voting trying to solve? Hand-counting scales perfectly and is extremely difficult to covertly tamper with. So the only 'problem' e-voting solves is that of being unable to covertly and fully subvert elections.
Have dedicated hardware compute a hash from the content of program ROM on demand with a button press and present it on an auxilliary 7-segment display. Compare against the hash of the vetted image. No software need be involved.
At some point in the process, machines will be used for tabulation. You have to trust the hardware to some extent. Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.
How do you check the circuit of that hardware?
How do you know the ROM you are reading is the ROM the CPU is executing from?
How do you know the CPU is the architecture you think it is and the program means what you think it means?
> You have to trust the hardware to some extent.
No, you don't, and you shouldn't. You can do all of that calculation by hand. And at the very least you can check a random selection by hand.
> Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.
In other words: Don't use electronics. You can't get simpler than pen and paper.
And the entire system relies on the people implementing it to not have been compromised. Because if they were, if the government itself compromised the machines, the voters could never tell. How good is a voting system that only works if your government is honest?
e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.
As for the "We won't tell you how you voted but you can validate it", my first guess would be some kind of PKI where you are given the equivalent of a private key, and your results are signed.
There are issues trusting hardware vs. trusting the sight of paper and two humans, I get that. But it's worth researching.
In Australia we use IRV (what you call ranked-choice) and we don't have any forms of electronic voting for federal elections, and the overwhelming majority of votes cast in state elections are paper ballots (which are hand-filled). You don't need e-Voting to solve that problem.
They are not. The count is done thrice, by hand, under supervision by scrutineers appointed by candidates.
It works very well.
There are more esoteric (see, mathematically dependent) voting systems that meet the Condorcet criterion.
Yet they keep pushing for half-baked insecure systems long before any of this research has been finished.
Is your point that we should never, for the rest of time, investigate the use of electronics for secure voting?
The content of the article reflected this - mostly about actually making a system, very little about research on the math behind secure voting on untrusted hardware. It's clear they want to use this.
You would need independently verifiable hardware and all software running on a closed system (ie, no third party modifications to running software which would mean at most a trusted sandbox for other applications outside the proven path) to be able to trust it to reliably take your vote.
Thats on the order of correctness provability that NASA puts into launch vehicles but NASA doesn't have to contend with hostile actors seeking to undermine their software and hardware.
Because now instead of securing centralized voting locations and machines you somehow have to create perfectly secure software running on you Aunt Flourence's machine with 51 tool bars and 3 different bot nets installed and also make sure she can use it properly and securely. Oh also now you're accepting votes as bits over the internet giving nation states probably the juiciest target and the widest possible attack surface (see securing every voters computer).
Even using something like the IME and secure enclaves to take the computation outside the the range of your average exploit it's still vulnerable to attack.
Then even if you've perfectly secured the hardware and software you're just left with the largest login/key infrastructure problem of all time with the average voter having to understand how to not be tricked into not actually using your secured software and hardware environment...