I see that the majority (or a large portion) of voters are fanatics that vote based on affiliation and fanaticism, not policies nor experience.
Ie. The voting numbers are largely biased towards the political fanatic crowd.
I see online voting as a way to increase the number of ordinary people that vote. Getting the voting population to 80%+ or more is good for democracy. I see this as a positive.
Saying Online voting is a danger to democracy is like saying autonomous cars are a danger to safety.
Yes, if the autonomous system doesn't work and is made with loopholes that allow dangerous stuff, it will pose a danger. But if made to work fail-proof, it will be infinitely better.
There's no point in saying something will not work if your only argument is based on the proposition that it's going to be broken before it's even used.
Sure, an unsafe car is not safe. The only way to make it safe is to make sure it's safe.
The only way "democratic" online voting will work is to make sure it's "democratic".
Your comparisons overlook a major difference between the paradigms of paper and digital ballots. It's the same problem with autonomous cars. An unsafe car can cause a single crash. An unsafe autonomous car program could crash every car everywhere all at once. And with the current state of software development, we KNOW that these softwares are vulnerable.
With paper ballots, it's not easy to tamper with the entire vote. You need a huge, widespread effort. Or your country is so fucked that your government ignores the vote and makes up some numbers. Everybody knows it's fraudulent, but nobody can do anything about it.
With electronic ballots, it's suddenly trivially easy for just a tiny handful rogue elements to stealthily forge every vote without anyone even realizing there was fraud.
>With electronic ballots, it's suddenly trivially easy for just a tiny handful rogue elements to stealthily forge every vote without anyone even realizing there was fraud.
We already have technology that, so far, is pretty much tamper proof that could easily be adapted for online voting. I would be highly skeptical/distrustful of any centralized voting system, but if there was a open ledger voting system that uses a blockchain, well I would be all for that as it would be extremely hard to tamper with, arguable harder to tamper with than with paper ballots.
I think you underestimate the sophistication needed to tamper with paper ballots. There's certainly a "boots on the ground" requirement for tampering, but the knowledge requirements are trivial compared to crypto attacks.
The physical chain of custody can be guaranteed with paper ballots. Yes, you can burn ballots, or stuff the box, but if you're minding the store, someone would notice.
I defer to your expertise but did you ever work in third-world countries? (To use the phrase as a proxy for inadequate political/physical infrastructure)
To use the engineering aphorism, just because it can be done doesn't mean it is done. I'm curious about how physical security/verification works in that environment vs a hypothetical crypto solution.
Observing third world elections is on my bucket list.
Election and voting chicanery happens plenty in the USA. No need to look abroad. Merely lifting the floor here would be transformative.
The silver lining from the oversteer triggered by Gore v Bush 2000 is that HAVA did lead to greater federal involvement in our locally administered elections. eg Election Assistance Commission http://eac.gov is now fairly proactive.
re "vs a hypothetical crypto solution"
Estonia's online voting system hasn't faired well under scrutiny.
If you've worked in third-world countries, you should realize that elections are a human problem determined by societal attitudes. Electoral fraud is not a technical problem.
Knowledge isn't really going to be an issue for the parties most likely to try to swing elections, many of which are state-level actors.
The thing about the crudeness of methods used to tamper with paper ballots is that it's also similarly trivial for a bunch of volunteers including members of all different parties involved in the election to spot, and in many cases trivial to reverse.
Knowledge is not the problem. In fact, knowledge is a trivial problem because with electronic ballots, you only need a single guy with the right knowledge and he can compromise the entire election.
People in this thread are assuming we can just solve the security issue if we try hard enough. We can't. It would mean securing every single voter's computer, and that's preposterous.
There is no consensus algorithm or blockchain that will work if the voter's computer or phone is compromised. To name just one avenue of attack: if you have control of the video output then you can swap the name of two candidates. That's all it takes. You figure out which candidate is most likely to win in several key ridings/districts, and then on all of the computers that you've infected with your virus you swap their name with the the candidate you'd like to win. The voting software would never know, the voter would never know. Any confirmation step, like printing out a receipt, can be similarly be trivially defeated.
Whoever is in control of that virus - be it a fanatic, foreign government, or corporation - can now decide an election.
The only way around this is to have a 100% secure device dedicated to noting but voting that you mail out to each voter. Even if you could build such a thing (which is likely impossible considering that the efforts of hundreds of thousands of people across many countries go into making a device - hardware and software), that's far more expensive and awkward than a mail-in ballot.
I'm not exaggerating when I say that online voting would be the end of democracy. For any definition of practical, it cannot be secured. If it cannot be secured, it is not democracy.
Those statements are too strong for the evidence you provide.
A trivial solution would be when you vote online you get texted a confirmation. If you don't respond to the confirmation you get a call. The confirmation gives you a candidate you voted for and a blockchain signature and an opportunity to report error.
Voting is secret, so your solution as described wouldn't work, but say you used a one-way hash to verify the vote.
It still wouldn't work in the case of someone voting from a compromised phone, because the confirmation can easily be altered.
So now you've got a system where you need to be in front of two separate devices in order to vote, which I find unlikely to be accepted as a solution because of the inconvenience. And even then, it just means that you need two different viruses. Or find an exploitable flaw in the confirmation system. If you've got control over the machinery (including people) that's running the algorithm, the game is over.
My evidence is that there's never been a widely used system that hasn't been compromised: military installations, nuclear power stations, ATMs, gambling machines.
How could you possibly expect voting to be more secure than all of that, considering that in the above examples they had complete control over the network and the devices, and were hugely motivated and well funded in their security efforts.
Voting is too important to be handed over to a group of people who say "trust us, this time we figured it out". And to take that huge risk for what, just to avoid paper ballots?
I'm not sure it's fair to hand-wave the concerns presented in the article with your argument of "just make it fail-proof". How often is software really fail-proof? The more complex software gets, the more difficult it is to ensure that it's bug free enough to be fit for purpose, and that's what the article is effectively arguing; software for voting on a national scale (the size of the US) is going to have an incredibly difficult time finding a level of security and stability that is fit for purpose.
Also, I question the statement that a high percentage of voting is unambiguously good for democracy, especially with how people treat voting like making birthday wishes. I'm paraphrasing from Robert Heinlein here, but too many people think voting is like making a wish, and they want the results without any work or dedication to themselves, their goal, or their country. There are a lot of times when public opinion, in hindsight, was clearly in the wrong, yet a full public vote would have resulted in downright unconstitutional and oppressive results. We saw it with the civil rights movement, we saw it more recently with the right for two consenting individuals in the US to marry, and we'll continue to see how the public is more than willing to weigh in completely on subjects they know nothing about or how certain members of society are willing to throw away the rights of other citizens without a care in the world.
Please understand that I'm not advocating for tests or saying certain people can't vote; but I am saying that just adding more votes doesn't make democracy better, it in fact often works to reserve the power of democracy to an elite few.
And we've already seen how news organizations of all political bents, social networks, and so on have influenced public opinion with their outlets and software.
1. It's not fair to hand-wave and say "make it fail-proof." It's also not fair to hand-wave and say "It could never be fail-proof." It's also good to ask how secure the current system is.
2. As for the advantages of a minority voting, the fact is that any rational agent would never vote. Your argument that "an elite few" might be better than the masses is irrelevant, the fact is the current turnout isn't the "elite few" it's predominantly old people (i.e. people who are bored).
1. I didn't advocate or posit that it could never be fail proof, I was just responding to the original idea of "just make software fail-proof" as if it addressed all the concerns within the article. The article did bring up a lot of issues that had nothing to do with the actual voting software, which would naturally not be resolved by "fail proof" software. I also do question the very idea of "fail proof", since bugs and errors are an inevitability. For the most part, software works, as I said, fit for purpose. When it does fail, it hopefully fails gracefully (like OSes do quite frequently), but even if the software was 100% bug free, the non-software related issues with a national Internet vote still need to be addressed.
2. I also never suggested that an elite few would be better. I made no particular opinion on standards for voting or who should vote, instead responded to the OP's suggestion that more votes is automatically good. The mention of "elite few" was to address the overwhelming influence that a few wealthy individuals and corporations have when it comes to elections in the United States, and how view points on voting issues are greatly distorted by the imbalance of power/the "loudness" of certain voices in a democratic society.
I made no suggestion as to how to vote so much as a criticism of the current system in which, while all people are able to voice their position, individuals and groups are able to effectively drown out the voices of others by means of wealth, not by the merit of position or through debate and discussion.
I don't think the autonomous car analogy is really apt here. For a democracy to be a real thing, the voting process needs to be open, auditable, verifiable. The current trend with any software I've seen around voting has been privatized code that is not inspectable by anyone, surrounded by NDAs, and provides far less in the way of proving results are real than does paper. More people voting and real democracy are probably good things, but without addressing the core auditability of the process _first_, software actually reduces the democracy of the process.
"I see online voting as a way to increase the number of ordinary people that vote."
That is a good goal. However...
All half-measures to increase participation, including registration drives, early voting, absentee voting, postal balloting, same day registration, etc., do not work.
Short of universal voter registration and compulsory voting, the only measure which increases voter participation is competitive races. This means fair redistricting.
Online voting, of any kind, at best, should be considered an opinion survey of questionable provenance.
What is important for representative democracy is that a representative sample of the population votes. Percentage of the total population that votes is really not inherently important beyond achieving an adequate sample to represent all citizens' interests.
Currently, the 'low' voter turnout we see is only a problem because there are groups that are underrepresented, in particular younger people, certain ethnic minorities, and people of lower socioeconomic status. Correcting the proportions of those who vote should be the goal rather than increasing absolute numbers.
If you think participation is so key to a functional democracy, the US can make voting mandatory without exposing us to the huge risks associated with online voting.
Some of the people behind 'wijvertrouwenstemcomputersniet' (we do not trust voting computers) are active in the CCC and have some pretty good arguments on why electronic voting really is a danger to democracy.
The link between electronic voting and online voting is a strong one and one would expect the online voting situation to be far more suspect to all kinds of trickery than the one where the voting computer is set up in a booth. Even so, there are some unique ways in which a voting computer in a booth might be manipulated to give incorrect results that do not apply to online voting, but I don't think it matters much, as soon as it's just bits & bytes and audit trails who watches the watchers becomes the real issue.
Any voting system without anonymity and a way to do a re-count and some physical proof is fundamentally broken.
I agree with some of the arguments against online voting. However, it isn't really realistic to do re-counts right now, nor do people do them regularly. If the people doing the counting are bought then that is an issue too.
Both ways suck right now.
One thing that I would like to see is an open source, standardized system though.
Stops Secrecy in Vote Tabulation: OVC has a team of scientists ready to program computer software for voting machines and electoral tabulation that would be publicly owned or open source. Open source software could be checked by any party or group by hiring a capable computer programmer.
Provides Paper Trail: The OVC recommended procedure for tabulating elections relies on a paper ballot that is then fed through a scanner into a locked ballot box so that all originals are saved in case of the need for a recount or audit (See Sample Ballot).
Scientifically Verifiable: In addition to open source voting machine and tabulation software, the Open Voting Consortium is also working on a database checklist for standard practices in vote tabulation that would assure transparency and accountability. Some aspects of the OVC concept will soon be enfolded into California legislation.
Saves Money: Typical voting machines cost between $2,000 and $3,000, but OVC open source software could be run on any personal computer (PC) and ballots could be printed on a normal printer. OVC envisions PCs with tamper-proof cases as the new voting terminals at a savings of hundreds or thousands of dollars per terminal.(See page on OVC Cost Analysis).
I don't get the complexity the US creates around voting. I live in a fairly large city (Berlin, Germany, around 3 million I believe).
- I walk 150m to my polling place. It's similar for most people.
- I've never waited more than 5 minutes
- The polling place is run mostly by volunteers, about 5 or 6 per place, with civil servants filling spots that can't be filled. Costs are neglible.
- I get a paper ballot, I mark my vote with a pen
- After 6pm I sometimes return and watch the counting. I can freely walk around between the people sorting the ballots and look at anything I want
- Did the same with friends last time around, we each had a bottle of beer, nobody cared. They were mostly older people happy to get a few visitors and talk a bit of politics.
- Pretty accurate first results (not exit polls) usually around 9pm.
- I can check the counts from my polling place the next day. Votes for the large party are in the lower 3-digits, so it's possible for me to specifically verify a few results.
Here's what most people that are not from the US don't understand:
When I go to vote on election day, I'm not voting for one person/party or even three people/parties. The typical ballot in my neck of the woods is double sided and has ~30 questions: National elections (President, HoR rep, maybe senator), state elections (Governor, SoS, local rep/senator, corporation commission, referendums/ballot initiatives), county elections (sheriff, judges), city elections (mayor, city council, dog catcher), and funding questions (bond overrides and the like). I'm probably forgetting an item or 10 on that list.
I never had 30 elections on one day in Germany (I think 5 was the absolute maximum) as we elect fewer positions in general and don't combine most elections on one day. Usually the federal election is the only vote on that day with some states specifically moving their state election day by one week to avoid a clash. The only usual combination is regional/European elections or state/regional elections for the small states. Referendums (there only a few) are usually tacked onto another election if there is one in a reasonable timeframe.
The elections each use a seperate ballot (and often seperate ballot box) and are counted one after the other with the most important election being counted first while the rest is still locked away in sight.
But yeah, for 30 ballots that system might break down.
I live in White Plains, NY, which is about 45 minutes north of NYC. My experience is similar to yours. But the US is a big, big place. I wouldn't be surprised if your experience has more to being in a major city, than in Germany. That is, what is the experience in rural parts of Germany? Poorer parts of Berlin?
Looking almost exactly the same. Rural (well rural in Germany is not the same as rural in the US) polling places might have 100 voters assigned instead of 1000 and people know each other but that's about it.
One issue is the cost and logistics of it all. In Sweden we therefore have three different elections on the same day. Campaigning tend to focus on the national election, thus the others gets a back seat and quality suffers.
Also, I've helped some smaller parties with the ballot distribution. It's not a small task for a small party to ensure each an every polling place in the country has ballots. Just the physical logistics of it is hard enough, but then you also have to deal with all the people who seem to think that only established parties has a right to participate in the election in the first place. The barrier to entry is quite high. Perhaps that is a feature though.
I have a question: Does every party has to supply a seperate piece of paper and the voter then chooses which piece of paper to put into the ballot box? What do voters do with the non-chosen ballots, i.e. how is the secrecy of the vote protected?
The system I know from Germany is that there is one ballot per election and the voter puts a mark which party/candidate they choose with a pen on that.
Yes. Three actually, if you count the different elections. On the ballot is a list of names representing the party so you can vote for a particular candidate by marking the name.
Usually people pick a set of ballots for different parties to bring behind a screen where the choosen ballots are put in the envelope for the box. The non-choosen ones you can pocket to keep secret. Some people tend to leave them in the booth though.
Voting procedures are handled at the state level, subject to terms from the federal government regarding basic access and fairness, so there is a lot of variety. I lived for twenty years in CA and I could have said the same thing about my polling experiences except for doing the counting (you can volunteer to be an elector and after some basic training do so, they just don't let the general public wander in to the best of my knowledge.)
In France, if you can vote, you can even count, and people can volunteer when they cast their ballot. The president of the voting station will usually also ask young voters to help.
> However, it isn't really realistic to do re-counts right now, nor do people do them regularly.
Australia uses paper ballots, and every election there's a seat or two somewhere that there's a recount. The major parties get their volunteers[0] to scrutinise the officials as they count as well, so you have multiple opposing interests scrutinising the actual count. Every vote basically gets at least three pairs of eyeballs on it. The officials and the watchers observe the ballot boxes all the way from the booths to the counting areas. It's difficult to come up with a more robust way of doing an actual public election, though there are some minor drawbacks.
And as far as I'm aware, this system is actually cheaper (per capita) than the US electronic systems. I imagine the 'low tech' nature is where a lot of savings happen - little need for technical skills.
[0]'Scrutineering' is boring as hell, but parties already lean heavily on their volunteers, what's one more thing?
Italy here, it works in the same way. Parties have their watchers. I expect this to happen in every country, unless there is only one real party and the others are there just for the show.
In every paper based system problems can arise outside the voting site: parties can buy votes but that's the same with internet voting. With the internet and computers an attacker has the benefit of changing a vote every 1,000, on the client or on the server or on the network (MITM). That's enough to win many close elections. I wonder how parties could watch against that. Are we going to end up with computers with rootkits for every major party fighting each other for the right to vote on our behalf?
The paper based system guards against vote buying through the guarantee of secrecy. I go into a booth on my own, make my mark(s) fold my paper, and put it in a locked box. No one but me knows how I voted.
If I go in with someone else, the officials will take action.
You can try to buy my vote, but I can just take your money and vote however I want.
If I can vote from wherever I like, then someone can stand over my shoulder and watch me vote, then only pay for it if I do as I'm told.
Sending a vote buyer knocking on doors and watching people vote when they happen to be voting is not very scalable. However, party activists and pollsters already do the first part. Adding the second isn't a massive leap.
However, there are situations that might scale better.
A business owner or manager might strongly persuade their workforce into voting the "right" way, by getting them to vote at work. This would scale quite well in a non-office environment, where you might suggest to your workers to come and use one of the few computers you have (for their own convenience, of course).
Another option might be some kind of party, where you invite people to come and vote for your candidate in exchange for payment. This could work quite well to gain the votes of the poorest in society, who may otherwise find it difficult to vote (no internet at home, can't easily get to the polling station).
Remember, those who care enough and are decisive enough to vote early in the day, are not the target of vote buyers. The people whose votes you can buy are those who wee possibly thinking of not voting at all, or those yet to decide as the polls are closing.
Think about the scalability of the other side. At the moment, you have a few people per few thousand voters sitting in the designated room for those voters, watching out for violations.
Both of these intimidation/buying activities would be illegal, and would certainly not be endorsed by the actual party in question, but by rogue individual supporters of the party. However, detection and prosecution of offenders will be far more difficult and time consuming.
Having to detect and prosecute these irregularities after-the-fact would also mean that elections may have to be invalidated and redone (possibly ad-infinitum) when a violation has happened, if you just remove all the illegal votes and recount, then what about all those voters who did vote with their conscience, but just happened to do so in the wrong place. Then what do you do about the actions of the illegally elected in the interim?
Although, calling this system a "Paper ballot" is not quite the truth. While it uses paper as the medium, the hole punching method is non-traditional in relation to basic written checks/X's or even scantron selection (which also has issues). But my point is that even "simple" and "low tech" methods can still have unexpected issues, such as the infamous Florida case.
> However, it isn't really realistic to do re-counts right now, nor do people do them regularly.
About half of the states require by law a recount by hand at a random selection of voting locations.
> If the people doing the counting are bought then that is an issue too.
That's why you have hostile observers from opposing parties present.
> open source software
So you have the source. Now prove that it is installed at both the client and server. Then prove that the operating system, bootloader, and every other part of the computer you need to trust is actually loading and running your software properly.
Difficulty: Volkswagen showed it's easy evade inspections, and good luck proving anything on a system with Intel ME. Do you know that there isn't an extra core or ROM hidden inside one of the chips?
> > If the people doing the counting are bought then that is an issue too.
> That's why you have hostile observers from opposing parties present.
That's probably why GP wrote "bought", not "asked nicely to miscount in their party's favour".
That said, it's probably a game neither party would like to play too much, as it seems it could spiral out of control and turn into a race to bottom, sucking out more and more party money.
>> That's why you have hostile observers from opposing parties present.
Even though observers are supposed to behave in an impartial and accurate way, partisan observers help ensure accuracy by their partisanship.
If an individual counter is bought by Party A, observers from Parties B and C are there. When the teller puts some of Party C's votes in Party A's pile, Party C is there to bring it to the attention of officials. If it is likely to be close between A and B, and a teller puts a spoiled, party D, or independent paper in A's pile, then B will note it.
Once these things have been raised, they are recorded and read by more officials and observers. That increases the number of people you need to buy off in order to effect a change in the result, which in turn increases the chance of being caught or having to buy off someone who cannot be bought in your favour.
Fundamentally you could buy people off. However you'd need to get the people counting, and the officials, and people in different parties, and not be spotted by any of the public that watch. And then do that again, simultaneously, in thousands of other locations, and not get caught or have anyone you tried to buy out go to the police.
San Francisco has started the process of creating just that kind of end-to-end open source voting system (using the existing paper ballots, optical scanning and manual recount process that exists here). Here's some more information: https://gcn.com/articles/2016/06/02/sf-open-source-voting.as...
Not really, you just have to be given a number that you can later match, no one has to know that number is you. Could even digitally sign things.
I propose a system where each vote is broadcast to multiple counting organisations, to avoid the counters being biased, and each vote is numbered, but only the voter knows that number so they can check with any counting organisation that it was recorded as they wished.
E-voting makes better forms of voting cheaper, instead of just First Past The Post. Preference voting for example.
If you just give out a number you suddenly open up the system to voter coercion. I can actually prove to you how I voted. Also, as a voter I can't be sure that they system that gives me the number does not save the link between it and me.
For preference voting you don't need e-voting. Using computers to help you count ballots (with an analog check and fallback option) is possible without actually collecting the votes electronically.
Much more of an issue that people don't vote than people sell their votes, which they do indirectly anyway.
Does anywhere use computer printed ballots?, to avoid ambiguously filled out ballots.
Computer creates PNG, you print that, or it's printed at a station, you carry that paper to the vote counting machine, it's optically read, (and read by humans if you wish) without errors because it was just printed by a computer
Which is why the voting machine should print a paper receipt which in plain text tells what vote you cast; this receipt is then deposited in a ballot box.
If a result is disputed, simply count the paper ballots like we do today.
Unless the result is contested you have saved an amount of counting effort which could be a cost saving. Though I suspect it would take some time for the ROI of implementing such a system to work out positive.
> > Unless the result is contested
> > you have saved an amount of counting effort
> The ballots are already optically scanned.
If the result is contested then I presume that this scanning may also be under suspicion (of being faulty or having been somehow doctored deliberately).
> > cost savings
> A handful of pencils per-voting-booth is far cheaper than any computer+printer solution.
Why is why I mentioned the time for ROI to become positive. The electronic counting will save time (man power for the initial count, the need for recounts, and just wall-clock time so the results are available earlier) but the cost will be high. At some point perhaps the solution will pay for itself in time/resources saved but it will take quite a while if at all.
Maybe you should study how elections are actually implemented instead of making assumptions. I suggest watching the talk I linked to in my top-level post.
> this scanning may also be under suspicion
Obviously. Hence why it's important to recount the paper ballots by hand. This is also why about half of the states require confirming the reliability of the optical scanners with a random sampling of hand counts.
> At some point perhaps the solution will pay for itself
No, it won't. Computers per-voting-booth are always going to be a lot more expensive than an optical scan tabulator per-site.
Also, because a computer+printer solution involves a lot more devices, you will need a larger amount of testing by hand recount. You are increasing the workload.
And since you can't know that the computer actually recorded what was printed on your paper receipt you have to dispute the result by default if a good democratic process is important to you.
So if you have to count the paper balloty anyway, why even bother with spending all that money for a voting machine?
There's at least two reasons, possibly even three:
a) Unless the outcome balances on a handful of votes, chances are noone will contest it. (If the result shows 47% to Party A, 32% to Party B and 21% to Party C, whereas polls showed 46% to Party A, 33% to Party B and 21% to Party C, chances are the result is fair.
That being said, yes - I think it would be good if just about anyone could contest the result and have a recount done - at least if they had to foot part of the bill, so that not every curmudgeon in the Kingdom would claim recounts just for the hell of it.
b) A voting machine system would enable one to have a preliminary result ready in seconds after ballot stations close, rather than today's system where, based on the size of electoral districts, results may be delayed by several days.
c) If properly designed, a voting machine could assist the user in creating a valid ballot; I've volunteered as an electoral clerk several times - we have had to dismiss surprisingly many ballots as there is simply no (approved) way to determine voter intent. A few checks before the vote is cast would likely improve matters.
For a 2016 article about online voting, i'm really surprised to find no mention of block-chain related solutions...
It seems most of the concern addressed here can be solve with this kind of "open-computing / open-data" technologies.
If you are interested in this topic, I strongly advise you the reading of: https://medium.com/@DomSchiener/publicvotes-ethereum-based-v...
And more generally what can be done with contract on the ethereum block-chain.
This is the answer. You should never trust any one given voting machine. But it is much, much harder to corrupt large consensus networks, and blockchain based voting lets you maintain pseudonymity and it lets you verify the results with whatever computer you want.
Some neat features you can bake into a blockchain based voting protocol:
* You can have temporary identifiers in the confirmation stage. IE, you cast your vote, you can use other computers for the first couple minutes to verify that vote, but after that your vote is added to blocks as a signature rather than direct identifier tied to the block, meaning once committed neither you nor anyone else has a concrete correlation between you and your vote.
* Alternatively, you can have a dual ledger of voter and vote, where the two are not correlated, but you can identify who has or has not voted but not what they have voted for. This gives you less verification integrity but guarantees anonymity to prevent voter coercion.
* You can have kill switches built in, generated hash keys at vote time that will cancel a vote out unique to the vote, either in the confirmation phase or even when committed (basically the same as adding something to a balance and then removing it again).
* You can use one single protocol implementation for all public record voting, and then have membership restricted groups that define constituencies through sidechains. That way you can leverage an international network of computers to secure all votes you want secured, rather than have easily 51% attacked small chains for each vote or constituency. It would be distinct from trustless models in that you would need some kind of parent organization to arrange membership in voting groups and to establish vote blocks.
As I said elsewhere in this thread, blockchains/consensus algorithms won't work. If the computer/phone that the software is running on is compromised and the attackers have control of the video and/or input devices, there are many ways of misdirecting the voter to make the wrong selection - in that case the whole stack of protocols and algorithms work just as they were intended, but it doesn't matter because the selection of the candidate was decided by the virus, no the voter.
And it doesn't take much to swing an election - you don't need to compromise many machines. So you end up needing 100% security on almost 100% of the voters' devices. That's simply not possible.
People have a hard time believing that we can't fix the security problems with online voting. We can't fix them.
Your claims are too broad for the evidence you present.
A trivial solution would be when you vote online you get texted/emailed confirmation. If you don't respond to the confirmation you get a call. The confirmation gives you a candidate you voted for and a blockchain signature and an opportunity to report error.
In the event you report error you could always show up at your local voting booth and get a paper copy.
Please explain to my mother how this system would work.
And should this system fail, or simply be faked, how would I know?
PublicVotes' first claim is to be "fair". Fairness is a property of the form of election (eg approval voting vs first-past-the-post), not the voting system. I'll scan the docs, see if there's any merit, but right out of the gate the starting assumptions are way off base, so don't have much hope for the rest.
> Please explain to my mother how this system would work.
Instead of casting your vote by giving it to a single person you give it to many different groups interested in keeping the election fair. These groups can be anyone -- advocacy groups, political parties, independent auditors, or local governments. They all receive your vote, verify that it's correct, and sign their name below your vote on a public ledger which can't be tampered with without everyone knowing.
Hell, you don't even really need a digital blockchain for this kind of system to work.
I mean the best way to explain it is to say "I put my vote on several pieces of paper, and give it to several people. One person could edit it, but that would conflict with everyone else. Everyone can see who I gave my anon vote to, and can verify that it all matches up." It's abstracted by a lot, but blockchain is basically just a public ledger.
The article indirectly addresses that in the last paragraph: paper is something everyone understands.
I'm all for improving processes with technology but I'll have to admit that even though I've been neck deep in Software development for 2 decades, the block-chain solutions require a fair amount of mental work for me. They may be good but I don't readily understand them. And I can guarantee you that my parents don't.
This brings up the problem of having a solution that only a few experts know how it works. It's a hard sell on the rest of the population to have them trust these "certified voting technology experts" that would have to be in place.
Indeed, that's seems like a big weak point: you need to understanding the technology to trust it!
First, I think that's a great news, if the limitation is only human and not logical, because humain can changes (a bit).
Let's look at the digital world currently: Peoples, companies and state, use internet to store and transfer private and valuable informations. All the world financial assets are process on the network, almost everyone use ATM, and store personal picture online etc.
All of this with just a very few percent of the population (people like me and you) knowing "more or less" how this really works!
A main adoption of online voting on the block chain will required efforts for everybody with the knowledge to democratize it, but in fact you don't need to understand all of it to trust it (like when you withdrawing money from an ATM).
We could say right now that everyone owning bitcoin "trust" the block-chain, and I would be surprise if more than 50% of them have read and understand Satoshi's whitepaper and the fundamental basics of the network.
Also at the end, even if it's intellectually new, it's not that difficult to understand even for our beloved parents :)
While that's a decent premise and I agree that less than 5% of the US population understands blockchains, I would also reckon they don't understand HTTP (or HTTPS) protocols, B-trees, networks, cryptographic hashes, or even the compilers that underpin much of technology. But they're more than willing to trust these things with the entirety of their liquid assets if it spares them a 20 minute trip to the bank.
I think there would still be a group of people who don't trust blockchains (or, let's be real, technology whatsoever - like the interviewee). And they're the people that drive to booths and do their business on paper. And I'm okay with that.
However, with all of those. If there is a problem: either the consequences are not significant. Or there is a paperwork around to a problem, which includes laws and judges.
With online voting, we are deciding the judges that get to say - "everything is totally perfect with the way I got elected."
Honestly, given the fact that a significant number of people already think their vote "doesn't count" (given on average ~40% of people don't even bother) I doubt they would be more concerned with vote tampering than with potential identity/bank theft.
Electronic voting machines are used in many places in the US. I can guarantee you most people couldn't give you any details on how they work. Yet they still accepted them relatively quickly.
From your second link: "True, if you consider vote buying a type of electoral fraud, the scheme is not fraud-proof."
And of course, "vote buying" can be substituted by "coerced voting". Any system where someone can physically see the voter casting their vote is flawed, regardless of whatever tricks you then use to obscure it once it's in the system.
It is a matter of degree. Anyone can carry a cell phone into a voting booth to photograph their ballot. And we already have voting by mail in many jurisdictions.
In the state of Oregon votes are handled 100% vote-by-mail. I've never heard any complaints from them about voter coercion or other issues caused by not physically stepping into a voting booth.
If there are any issues caused by this in Oregon, or other locales that use vote-by-mail, how come these articles never bring them up? I can only surmise that vote-by-mail seems to work pretty well so far, so what's the rationale for being against it?
I'm strongly against online voting. The problem #1 is buying and manipulation of votes. Security and/or anonymity is much smaller issue IMO.
In my country, barely 50% of people vote. Most people don't care about politics. "Incentivized" votes is a huge issue there. People are routinely brought to polling stations and given a thank-you beer on return. Agitators are using all kind of borderline-blackmailing techniques on older/less educated people.
I think you've stumbled across a bigger issue - democracy is fundamentally broken since no one has any incentive to vote correctly.
I know a lady who's a likely Trump voter. But she also donated money to Hillary in order to get the "woman card". https://shop.hillaryclinton.com/products/the-woman-card She's pretty honest that it's just entertainment for her - like voting on American Idol.
Think about how many elections have been swayed due to "I support Obama because I'm not racist", "Bush looks like a cool guy to get a beer with", "boo yeah Trump - take that liberals who look down on me", etc? (Amusingly, neither Bush nor Trump will ever get a beer with you, teetotalers both.)
People get away with this because their vote doesn't matter. If they vote wrong, they won't lose anything. So why not just do what makes you feel good? You've got no skin in the game.
Maybe representative democracy is broken (there are reams of good texts written about it).
OTOH direct democracy may be not as broken, since the effects of voting are much more immediate and local. See Switzerland that constantly keeps voting against populist measures like lowering the retirement age. It lasted ~850 years so far, longer than almost all European states and 100% of American states.
Switzerland is compact, but even then it's a pretty loose union, a confederation with important laws significantly varying between its many cantons. This system is more or less imaginable in the US with a more restricted federal government (despite the size that was the rationale for the current multi-step representation system), and hardly even imaginable in highly centralized states like France.
People have generally not established direct democracies throughout history for a reason. I personally never want to see a direct democracy in the US, because if you want to have your faith in your countrymen destroyed go spend an hour sitting on a bench outside a Walmart and just watch humanity at work.
The vast majority of people are borderline illiterate emotional animals. You don't see or interact with them because they exist in their isolated silos of service work and personally proffered bars and TV stations, but the number of rational informed actors in any given election is in a steep minority.
I don't know the Swiss well, but I'd hope they have a much better culture to support direct democracy than what the US has, because the US would be a disaster. Islam would be banned, Hispanics would be kill on sight, police would be given heavy artillery to demolish drug dens. Whenever any international news of any kind phases the country there would be immediate over-reactionary laws passed to diminish liberty and perpetuate a culture of fear, because that is a large part of what we have now, and giving that animal brain legitimacy on the national stage would be a global catastrophe.
This may be true in some cases; this is why I think universal vote, without any limitations, is not a good idea. Voting is a privilege and a job of running (a small piece of) your country. Compare it to a jury duty.
This, again, may be false in some cases. Unless the voting process is framed as a sports match (like it usually sadly is), the emotions are much easier to keep in check, and reason is easier to listen to, even without an advanced university degree.
OTOH if you don't trust your countrymen, I wish you all the luck in importing infallible Martians to help you rule your country as e.g. a king. On this planet the only way used to be growing and educating some portion of your countrymen to be able to run the country (without running it into the ground). This applies to kings and dictators to a very high degree. This as well may apply to a wider mass of voters.
I suspect this is what happened to the Swiss: centuries of local self-rule and rather immediate consequences of it, combined with living in rather harsh conditions most of its history, must have educated people not to take the voting lightly. I don't see modern Swiss killing Muslims or Hispanics on sight (it's not the Reformation wars time), but I do see a ban to build minarets [1]. Apparently the fallout was pretty small, without a "culture of fear", Muslims fleeing the country or something like that. Sometimes a minority has to listen to the majority; it's best when the compromise is as small as this ban. Regular not listening to the majority and alienating them makes for what you fear: the mob running over the castle of the highly-cultured but insolent lord.
The point of voting is usually to determine what is right or wrong. If you're a god having all the answers, you need devotees that just obey your scripture, not citizens with a privilege to vote.
I just finished reading Kant's perpetual peace. He says something like "war protects from despotism".
I'm a Finn. During the cold war we we're situated right next to Leningrad, but still pretty much free-trade capitalist liberal democracy. Our country has very little corruption, very good primary education, free health care, conscription and long line of very very well liked past presidents. Everybody had skin in the game.
Suppose you vote wrong for some national socialist who will destroy the economy and kill the muslims. How much will you, personally, lose? I.e., multiply your actual losses by the probability of your vote affecting the outcome.
Now compare that number to the 1 Euro worth of tribal satisfaction/self righteousness/other positive feels you get from voting for that national socialist.
In contrast, consider a true "wisdom of crowds" situation. When I hold irrational views about share prices, the stock market immediately takes my money and gives it to people with rational views. Bad decisions result in immediate losses in direct proportion to how bad the decisions are.
You need some goal to correctly target that "wisdom of crowds". So first we need democracy to set the goal: Gini-index vs. Pareto efficiency. Freedom vs. security. Protection of personal rights vs. right of group self determination.
Then throw into the equation some very polarizing stuff like abortion, drugs, animal welfare, inheritance tax, immigration and whatnot. Then watch as some political entity loots government budget while people are arguing. This happens in Finland too now that Russia is weak.
democracy is fundamentally broken since no one has any incentive to vote correctly.
Correction: democracy is fundamentally broken when no one has any incentive to vote correctly.
Your argument against democracy is based on one single implementation, and a pretty flawed one at that. Maybe take a look at how other countries implement proportional representation, or where the political landscape is diverse enough that no single party usually gets a majority on its own (e.g. most of northern Europe).
I think there are big opportunities here for the extension of democracy. Democracy as it stands is quite weak - technically a Polyarchy, meaning that elected officials make decisions which we ratify. This could mean citizens could participate in decision making.
The same reason is why the government and many people will try to oppose it, because greater democracy is a threat to any power system.
The reason why people feel disconnected from politics is by design. The rulers don't want the people to participate, they want them passive.
Do you really want citizens participating though? I have no clue about what it takes to run a state and I'm not a lawyer and can't really read new laws. Also, I have a job and very limited free time that I don't want to spent on keeping up with new developments in politics.
So my opinions are likely very biased and quite useless for the political process. Even elected officials seem to have a hard time reading all the things they vote on, letting Joe average vote on almost everything seems like a recipe for disaster to me.
Look up the Swiss style of democracy. They have elected officials for day-to-day tasks and frequent referendums for subjective matters. From what I saw, their referendum campaigns are great. You can make your own opinion with an hour or two of research, tops. Even with the very limited time, IMO few hours a year is worth it to be more involved with shaping your own society. Best of both worlds.
When Austin gave its citizens the task to make a decision, they voted against uber/lyft, and now both companies have left the city. Currently feeling like we shouldn't give more voting power to citizens on everyday issues, since the media and lobbies can get people to do crazy things like give up easy cheap and safe rides.
Funny how any time a vote goes your way it's democracy, but any time it goes the other way it's "the media" and "special interests" and "lobbyists" that perverted the system. I am extremely pro-Uber, but wasn't Uber's own marketing partly to blame for the outcome of that vote?
I think this issue could be overcome by a proxy/delegate style system. With the ability to change proxy/delegate at any time, we would have ongoing accountability and move away from the problems of election cycles. Even better from a representation viewpoint (but more complex from a design viewpoint) is the option to have different proxies/delegates for different decisions/topics.
The real problem is balancing tradeoffs, particularly between spending and taxes. Currently (in Australia at least) the size of the expected budget defecit is a crude metric for the overall financial responsibility of the government and is a factor in elections. If citizens can vote independently for spending versus taxes, then there is nobody to hold accountable (tragedy of the commons).
That is almost exactly what we have now. I'd hope citizen participation would be an improvement but I'm not certain. Populist positions can be good, but they can also be disastrous -- look at Trump, his brand of populism preys on the most base and vile aspects of human nature: hate, bigotry and racism and he intends on enacting policies which will inarguably be horribly destructive to the very fabric of the country and arguably the world. If we had direct democracy, what makes you think we wouldn't just get more of that? A lot of the principled stands that keep the country in one piece are not widely popular.
This is what we have now. We just have a saying on what lizard will rule.
Do you think everybody voting for Trump would vote for his hateful policies? I'm not on the US, but it looks to me that Trump gets most of his approval from his "I'm not one of the lizards" PR. If people didn't have to get the entire package, it's very likely they would be critical of those worse parts.
I'm not sure if I'm reading your comment correctly. I totally agree we should aim towards educated and politically active society. However, educated bit should come first. Then we can start making it easier to participate. Tiering the barrier of coming to polling place won't educate people by itself.
Agreed. In 100 years people will look back at how basic our democracy had become. One choice from a selection of two, every 4 years. This dissociation with current issues is dangerous.
As democracy develops and citizens start to participate, we become more responsible for our decisions.
Sure votes are bought offline too. But it's much more difficult.
The people who sell votes don't care to "change their mind". They get their reward and they're happy with that. People who would bother to change their mind, don't sell their votes in the first place.
The usual scheme is, buyers pick up sellers and drive them to polling places. Police is usually on the look out for cars that frequent the polling stations. Or park just around the corner. The sellers usually are homeless-ish/addicts/etc. Large amount of such people raises awareness. Sometimes approaching such people and asking what's up is enough. They don't bother to lie and just tell they sold their vote to some guy in black BMW for €xx.
Now if online voting was allowed, the buyers could just take the seller's signature device and do voting himself. 100% the vote is correct. No possibility to get caught at polling station. The sellers don't hang around the polling station, thus less chance to raise awareness.
In addition to that, buyers could buy the device en masse from the addicts/homeless/etc and have a ready-to-use voting farm.
All in all, yes offline vote buying happens and it's not rocket science. But online vote buying would be much easier, quicker and less chances to get caught.
As I understand it, there's a similar scheme in Oregon's vote-by-mail mechanism. You can buy someone's mail-in ballot, vote the way you want, and have them sign and submit it.
"could just take the seller's signature device and do voting himself"
That's identity thieft, which should be punishable by a few years behind bars.
Also, make those signature devices tethered to receiving whatever equivalent of Social Security payments, and addicts/homeless will not let anybody lay a finger on it.
Taking a photo of your ballot paper is a criminal offence (at least where I am) and one which can only be committed at a specific physical location and time. In other words, it's a crime with a very low payoff (an individual vote can't be worth very much money), and a relatively high risk of detection.
The risk of getting caught taking a screenie in the security of your own home with no pollwatchers and election officials around is much, much, lower.
You can take a photo of the ballot with the "correct" box marked and then spoil it (eg. by marking all boxes). That's what I'd do if I was coerced to vote for some candidate.
I am copy pasting my article's reply for the sake of debating this.
I, like you, live in a country were barely 50% of the population vote. This is exactly why I think Online voting is good for democracy. Essentially, more people will vote:
I am strongly against the view of the author.
I see that the majority (or a large portion) of voters are fanatics that vote based on affiliation and fanaticism, not policies nor experience.
Ie. The voting numbers are largely biased towards the political fanatic crowd.
I see online voting as a way to increase the number of ordinary people that vote. Getting the voting population to 80%+ or more is good for democracy. I see this as a positive.
Saying Online voting is a danger to democracy is like saying autonomous cars are a danger to safety.
Yes, if the autonomous system doesn't work and is made with loopholes that allow dangerous stuff, it will pose a danger. But if made to work fail-proof, it will be infinitely better.
There's no point in saying something will not work if your only argument is based on the proposition that it's going to be broken before it's even used.
Sure, an unsafe car is not safe. The only way to make it safe is to make sure it's safe.
The only way "democratic" online voting will work is to make sure it's "democratic".
Corruption and incompetence are indistinguishable.
Electronic mediated systems are utterly infeasible to audit. Among other reasons, many failure modes are silent.
The good standard for election administration is the Australian Ballot (private voting, public counting), administered per precinct (distributed), counted onsite when the polls close. It's observable, there's a physical chain of custody (that can be verified), it has the largest attack surface area (increases the cost of attack).
On the privacy note, only the Australian Ballot preserves voter privacy while ensuring a public count is possible. Postal balloting, touchscreens, online voting all remove the secret ballot (otherwise they could not be verified).
Most votes are already bought and manipulated by the handful of people who own the television coverage of the election, by tilting that coverage in favor of their favorite candidate.
The thing about online voting that has always gotten me is that it violates the ideals behind the "Australian Ballot." [0] ie, one should have the right to cast a secret ballot, and doing so in a public polling place at least theoretically guarantees this.
With online elections, there is no proof or protection of this. For me that's the most important thing. Full Stop. Security implementations, hacking, etc. are all secondary concerns in my opinion.
note: As a True Capitalist(I say sarcastically), I've actually come to believe in being able to sell my vote (I'm quite serious), which of course, the secret ballot precludes me from doing. After all, if I'm going to be forced to essentially only choose between the lesser of two evils, I should at least be able to profit from the poorly designed electoral system.
I actually "back of the napkin" calculated this for the last presidential election, and I believe it came down to something like a rather pitiful $3 for each presidential vote (forgive me, this was a while ago). Of course,once you add the other elected positions, this increases, but I believe it was still generally under $20 per vote. I did not take into account geographic discrepancies (different number of positions up for election/different amounts of money spent on highly contested elections, etc)
This is not an issue with online voting, and paper voting does not guarantee that right either.
In Estonian e-voting, you can vote as many times as you want, only your last vote is counted. A week after online voting is closed, there is still a paper voting day, where you can go and override your online vote with a paper vote in the traditional booth. If you were coerced to vote a certain way online, you can still go to this private booth in a public polling place to place your "real" vote.
There are ways to check your vote even in a public polling place. Let's say you need to take a picture of your voting paper before you leave the booth, and you have to send the picture to the person coercing you. The person coercing you is standing outside the booth so that you can't walk back and forth to ask for a new paper.
There are some good reasons against online voting, but most of the obvious ones you can think of are already solved.
In Estonian e-voting, you can vote as many times as you want, only your last vote is counted. A week after online voting is closed, there is still a paper voting day, where you can go and override your online vote with a paper vote in the traditional booth.
So they can unambiguously tie a specific vote to a voter, yet nobody is concerned about the possibilities of retribution against certain voters?
Yes, they can at some point in the flow unambiguously tie a specific vote to a voter. Postponing the "separation" to after the paper ballots have been cast is then a simple trick. How it works is they encrypt the vote (using assymetric encryption), and then sign that datapackage with the private key on your ID card.
Once the votes need to be counted, the signature is removed, and all the resulting encrypted vote data is then sent (without identifying information) to a third server which has the private key to decrypt the votes. They are decrypted and then counted. This third server has no access to identifying information. The server stripping votes from identifying information has no access to the decrypted data.
Which is still coercing your vote. Not to mention normal postal voting is also susceptible to the same problem, and I bet we'd all agree that's much less secure, yet we still use it.
The biggest problem with online/computerised voting is that it is a single point of attack for malicious actors. Even the best software security gets broken from time to time, online voting would allow zero-day attacks on elections - an absolute disaster.
Whilst standard paper voting may also be subject to fraud, it takes the manipulation of thousands of people in order to alter ballots across a whole country. Computers just need the one hack.
My biggest worry isn't about software security. My worry about online remote voting is What is to stop physical coercion of the voter?
When you have to gather at a centralised polling point to anonymously vote you can be damn sure no one is standing over the voter's shoulder twisting their arm while they vote. If you are voting remotely via a computer screen who is to know?
Physical coercion is possible also with paper ballots. A modern approach is to ask voters to shoot a picture to their voted ballot. No picture, big trouble.
For that reason taking a picture of our own voted ballot is a crime in Italy. Obviously is a crime also to ask people to do that. Cameras are not allowed in polling places and smartphones should be left outside the polling booth. However nobody asked me to do that the last time I voted. I remember they did many years ago. There were many phones lined up on the desk of the president of the polling place.
I've seen the following idea implemented: You can cast your vote as often as you want with only the last one counting. Sure, in practice there are a lot of things to consider to make it foolproof and it might be impossible to do securely - I don't know. But it's worth considering.
It would help against forced votes. But it's useless if some lazy person wants to sell his vote. With regular voting, there's a minor barrier in place. The incentivized voter has to go to the polling station and bring back some kind of proof. With online voting, someone could just take his ID (or e-signature device) and vote himself. The voter selling his vote may even don't know whom he "voted" for. Furthermore, someone might buy those signature devices off homeless/addicts/etc and build a massive voting farm.
You're choosing a suboptimal attack spot in your paper voting attack scenario. Instead of manipulating the thousands of people around the country who count & send out the results of those booths, it's easier to manipulate the far fewer people who do the aggregation for final results.
Also a computer voting system that is exploitable via "one hack" is inexcusably badly designed. Yes hacks happen & adversaries have zero-days, but it's possible to build a computer voting system that is highly resistant to those scenarios. As a very simple example: have a standardized vote format that will be counted by three independently implemented systems, each on a different OS, running in parallel. A great system will go to far greater lengths for protection, but this should already show that a simple "one hack" wouldn't work.
It's still a 3-point of failure versus a thousand in a paper vote.
I've seen the British election many times, there are hundreds of people in the counting hall for every district. They count, then they shuffle the ballots around and have different people recount. It would take the bribery of thousands upon thousands of people. People who are under constant scrutiny, not just by those around them, but on TV also.
A computer is almost trivially suborned in comparison. Even our most important pieces of security software, such as openssl and others, get hacked from time to time. If such hugely important - massively used, massively tested - open-source projects get hacked, why on earth would you want to risk computer voting?
It's just standard programmer NIH hubris; we think we can do it better, therefore we should.
>It's just standard programmer NIH hubris; we think we can do it better, therefore we should.
It's not NIH at all. Electronic voting has not been implemented sufficiently. It could be done. It's not about doing it better, it's about doing it at all. It's not-invented-anywhere hubris, and that's plenty of reason to do something.
People aren't much harder to manipulate than machines, and they're also just as transparent. There is no fundamental reason to believe computers can't be more secure than humans when it comes to collecting data and tallying it.
To be done sufficiently, you need to not only prove that your system is fair, reliable, scalable, tamperproof, anonymous etc., but also that you system actually runs. That combination is nigh impossible. That is the fundamental reason, bootstrapping that trust. Imagine you have a 100% open source system, cryptographically verified etc. How do I know that is actually what is running in the voting box?
You trust that the right software runs, because unless multiple mutually distrusting parties runs the EXACT SAME software in the same configuration, nothing will happen at all - and they'll hopefully never agree to collude on running anything but the officially agreed upon version.
So who do you trust enough to be distrusting parties? This to me seems to be the same problem as making it proof of work: if the incentives are big enough, the scheme collapses. Look at the creativity that lead to caging and other forms of voter suppression
Not sure. I did consider the risk of bureaucracies becoming cemented within the participating organizations, leading to a harmful drift in values.
But you really only need each department to live for as long as the vote is active, so you can dismantle them and reassemble them afterwards each time. Hopefully that would prevent the establishment of dangerous practices and attitudes.
Whoever is managing it must be held accountable, and must work in full transparency.
I've counted votes a couple times before and can tell you that where I come from in the US recounting is minimal (if done at all). We pair up with a person of our choosing and then count and recount. Collusion is trivial. Just make sure the total counts add up and that your results aren't so wildly disproportionate from the other people's that they'd get reexamined when all the pairs' numbers are summed.
I don't know what you mean by scrutiny on the TV - are local polls counted live on television in the UK?
It's almost impossible to imagine that someone could bribe that many people to influence an election in the UK. There are 650 seats with over 100k population per seat. I just can't imagine it being bribable on a large scale. Maybe some tiny constituency in a tiny district might get influenced, but the absolute smallest is about 20k votes. That's very difficult to rig.
But you don't have to bribe 100k people. You just have to bribe/influence 50,001 people (and I know that's not exactly true, this is based on a US two party system, not the variety of parties in the UK, but hang with me here.) And in reality, it's as the saying goes for Baseball. "Every team is going to win a third of it's games, and every team is going to lose a third of it's games, it's what you do with the last third that makes a difference."
Every party is going to have a large number of supporters and a large number of detractors, it's what you do with the unaffiliated votes that matters.
Now I'm really going to talk out of my ass, in a horrible, gross generalization with no support to back me up; I'd guess that for many elections, it's less than 20% of voters who actually decide the fate of their country/district. And since we're talking about voters (not citizens or residents/people), we're then talking about an even smaller group of people you must influence. That's why bribery, voter intimidation and pure old fashioned marketing matter; You don't need to get everyone on board, only a much smaller percentage of key voters. Isn't democracy great?
> it's easier to manipulate the far fewer people who do the aggregation for final results.
It is but parties have their watchers spread around the country to report counts to their central. Any substantial difference will be noted and end up in a recount.
What saves us is the mistrust between parties. With internet voting watching each other would be more difficult. Actually I believe that there will be no internet voting where parties really don't trust each other. There will be internet voting were parties are very naive (almost impossible for politicians) or they somewhat agree not to rig the elections (again, too naive to believe?) or to decide them in advance.
> [...] it's easier to manipulate the far fewer people who do the aggregation for final results.
That problem can easily be solved with transparency. In Germany I can do my own tally of the election results as every state reports the votes down the individual polling station. For example, here are the results for Berlin from the last Bundestags election: https://www.wahlen-berlin.de/wahlen/BU2013/ErgebWahllokale/w...
I can also observe the count at my local polling station. They are required to announce their results orally after they're done counting and I can confirm that this is the result reported online.
I've been an election helper and I've always checked that the results online match those that we reported. I never did my own tally, but if the results are close I'm sure someone does them.
>Whilst standard paper voting may also be subject to fraud, it takes the manipulation of thousands of people in order to alter ballots across a whole country. Computers just need the one hack.
And yet it remains far easier to hack a human administrator than to hack the system they administrate.
So it's really 1000 easy hacks vs 1 really hard hack.
> In fact, online voting is such a dangerous idea that computer scientists and security experts are nearly unanimous in opposition to it.
Stopped reading.
Online voting is not just about electing presidents.
If you can poll the people easily, you have a democracy where people directly chose, instead of having a mafious bunch in a grand building making what corporations want the law, ahem I meant doing what is good for you.
Nobody will take your comment seriously if you proudly announce that you didn't read the article.
Why not just think "hmm, I wish the title was a little more specific" and then keep reading with the understanding that this particular article is about elections?
Do you really think it would be better if anyone could decide about anything, even without having proper knowledge of the issue ?
The idea of "representative" democracy (opposed to "direct") is that you elect someone more or less aligned to your ideas, which has the time and competence to make the best decisions. It's far from a perfect system, but let's not delude ourselves about the alternative.
In practice, every decision has its side effects, and law in most cases is the result of compromise.
I can't think of a worse system where your average Joe can vote about things like taxes, gun control, minimum wage, immigration, national security, not having the slightest idea of how his decisions will affect the whole picture.
And I hear your argument, it was my first reaction as well when the thought occurred.
However, while the "average Joe" may suck at understanding online privacy issues, he may be great at accounting/farming/teaching/what-have-you whereas you suck at that. The thing is, your average Joe is more likely to listen for advice than your congressman. And he's good at something else than congressing, something practical that gets voted upon.
It would need adjustments, it would require recluse intellectuals to care for and enlighten their neighbours, but it would give me hope in the system.
Representatives made a lot of sense when the fastest mode of transit was by horse and buggy, and it took weeks to get a letter from Atlanta to Philadelphia. They make very little sense in an instant and digital age.
Internet 1.0 may not be built for online voting, but eventually some sort of internet with a ubiquitous online ID system will be implemented.
The internet is perfectly fit for online voting, except for this "you can prove how you voted" problem.
Problem is, voting requires that you must not be able to prove how you voted, and that you are certain that your voting was counted correctly. Those two requirements are at odds, what makes all voting systems insecure to some extent - yes, even paper.
Now, vote buying is something that can be dealt with on the real world. Any systemic buying will leave traces. I do think the flaw should be on it, instead of the correctness of the result. Paper, by the way is flawed on both, but lives traces on both, that the winners never follow...
It doesn't work because the public is uniformed on 99.99% of issues. And most don't have the patience to listen to the long debates and do the research on every single issue.
If shitty TV significantly influence major elections, imagine how bad it would be if we were a direct democracy.
> If you can poll the people easily, you have a democracy where people directly chose, instead of having a mafious bunch in a grand building making what corporations want the law, ahem I meant doing what is good for you.
Well, look at Germany. Merkel always does what the majority of people said they want in polls, because she wants to keep having her power (she’s running for her 4th term).
And yet, the results aren’t ideal either.
(Some call her "the walking infratest-dimap poll".)
The secret ballot with counting observed by all parties is a technology that evolved out of necessity over hundreds of years. Adding more technology adds complexity which is the same as adding more attack surface.
Just a reminder: democracy is not a panacea. In fact, the founders of the U.S. were all very concerned about democracies. Democracies inevitably lead to mob rule and chaos. That's why we created a representative republic.
We resolved that by creating a layered system, where small, local groups have frequent elections for things that have great power over their lives, and up the chain we elect national representatives much more infrequently to handle big picture things with little impact on daily lives. We also created a senate at all the levels, which is responsible for the architecture of the system itself (which is why we had the state political parties choose senators. Likewise, using this same theory, you would have local governments choose state senators).
Didn't work out that way, but that was the solution implemented at the founding of the U.S. Worked okay for several decades. But nobody wanted a democracy. In many ways that's worse than a single-person dictatorship.
So regardless of the technical issues, democracy itself is fraught with problems, even in groups as small as 100-200. Unless those problems are acknowledged and dealt with, the "online" part won't matter one way or another.
Wow, this is a rather… childish response. It doesn't actually rebut the claims being made, they seem to dismiss everything with “so what”, as if they do not actually understand what is wrong. And the rest of the post is just deflection by making ad hominems, or complaining about things that weren't what the researchers said.
For example:
> 1. Debian Linux packages were downloaded from a place that the experts didn’t like.
> So they should’ve been downloaded a distro from a .ru or .su website?
They should have been downloaded over a secure connection and verified. Do you know what a MITM attack is?
> 2. The icon of a poker website could be seen on the desktop (was it actually a poker website or ‘an icon similar to the icon of a poker website’?).
> Of course, having this icon on the desktop of course discredits the user of that computer, their country and the entire European Union.
That they have gambling software, whose legitimacy is uncertain, installed on computers used for preparing servers for elections is concerning. Why introduce another possible threat vector?
> 4. The WiFi password of the local guest network could be seen on the wall.
> Oh dear, because the election servers (with the telephones and computers of all guests) are certainly connected to that WiFi network, their ILO ports greedily open.
No, the election servers aren't connected, but the computers used to prepare data for the election servers are.
> 5. The cameraman who shot the audit filmed an elections observer in such a manner that his password was captured on film.
> We do thank you for this observation – we will improve our cameraman’s training – but this is an error of the supporting process (the audit) and not the main process (the elections).
They should have been downloaded over a secure connection
That's not how apt works. The connection is assumed unreliable, the verification happens after download with the Debian keyring (already installed, and can be independently inspected and verified).
Sure, apt is secure. However, I don't think that's what's being discussed. If I remember correctly, the researchers were complaining about how Linux ISOs were downloaded, not packages. (The writer of the rebuttal seems to be confusing these, which is, again, concerning.) To quote their paper:
> Despite procedural safeguards, an attacker who strikes early enough can introduce malicious code into the counting server by using a chain of infections that parallels the configuration process. During pre-election setup, workers use a development machine, which is configured before setup begins, to burn Debian Linux installation ISOs to DVDs. These DVDs are later used to configure all election servers. If the machine used to burn them is compromised—say, by a dishonest insider, an APT-style attack on the development facility, or a supply-chain attack—the attacker can leverage this access to compromise election results.
> We experimented with a form of this attack to successfully
change results in our mock election setup. We first created
a modified Debian ISO containing vote-stealing malware
intended to execute on the counting server. The tainted
ISO is repackaged with padding to ensure that it is identical in size to the original. In a real attack, this malicious ISO could be delivered by malware running on the DVD burning computer, by poisoning the mirror it is retrieved from, or by a network-based man-in-the-middle.
> During the setup process, election workers check the SHA-256 hash of the ISO file against the SHA256SUMS file downloaded via anonymous FTP from debian.org. Since regular FTP does not provide cryptographic integrity checking, a network-based man-in-the-middle could substitute a hash that matched the malicious ISO. However, this hash would be publicly visible in videos of the setup process and might later arouse suspicion.
I feel that our fears are misplaced towards the wrong kind of voting machine, the one that collects the vote. The other kind, the one placing the vote, is far easier to manipulate. Facebook and Google have the mechanisms at their disposal to influence elections globally, and within a couple of election cycles could probably have the world's democracies more aligned to the interests of the US.
That's what I was thinking, although I don't think Google and Facebook are a problem as they can only provide slightly different choices from within a narrow range that people are already interested in. It's the relentess torrent of brainwashing across all media which frames people's opinions and doesn't allow them to think seriously outside of the narrow choices (2 party system, pro/anti [issue]) which ensures that there'll never be change which actually makes a difference (ie the environment, religious crazies controlling nuclear weapons, increasing gulf between rich and poor, companies subverting democracy via lobbying and trade agreements).
Can't you do something with multi-stage voting on multiple independent machines? A way to do error correct coding and consistency enforcement such that no one malicious machine can successfully alter a vote?
I'm thinking smartcards could make it reasonably easy to use, where you simply repeat your vote to some degree and where the chip verifies that the voting machines are all saying the same thing.
Not really. Whilst paper voting fraud is definitely possible - maybe even easier than online fraud - in an election, paper ballots are distributed across an entire country. They require "hacking" 1000's of people in order to corrupt a national vote. Computer hacking just requires breaking the security of one application.
I find it hard to believe that a modern identity infrastructure (which we don't have, admittedly) combined with basic cryptography can't get us where we need to be.
We might not be able to cryptographically prove anonymity, but all it takes is trusting the government to anonymize the data correctly and make it secure in transport.
> trusting the government to anonymize the data correctly and make it secure in transport
Large banks don't always succeed at that. The government makes huge mistakes all the time. What makes you think this is possible?
The issue is that perfect security is impossible either with physical or digital voting. All we can do is minimize the consequences of an inevitable mistake or breach.
You can still hack open source though. Some of the highest profile security projects like openssl get hacked. Sometimes it just takes a simple misconfiguration to get hacked, like with Debian a few years ago.
The point is, computers provide a single point of failure. Bribing enough of a country's electoral officials to shift a vote without being detected is immensely more difficult in comparison to finding a zero-day in some voting software.
The only guarantee that open source provides, is that we'll probably find the bug eventually. A malicious state actor that wants to influence an election has absolutely no incentive to let people know that they've found a vulnerability with any sense of alacrity.
I have a way to make it better. I think combining old-fashioned checks and balances, with technology controls can make online voting about as secure as it is today (maybe more) and anonymous.
To make it anonymous, its really just a password. When a user registers to vote, they create an online account. On the days that a user votes, they log into their account and create a ballot. They then create a password for the ballot. This password hashed with a salt, and than hashed with their registration id becomes the unique id of the ballot. This way, at any time a user can login and view their vote... but that vote is not reversible to the voter.
Now for the checks and balances. 3rd party non-governmental parties should have a real-time replication of all data. (it's like an exit poll, but more reliable). Any time a registered voter creates a ballot, 2 things happen. An email is sent to the record holder, and a mail is sent to the address on record. Combine this with a public viewable record of all votes + registered voters who voted online (this information is already public) we should have a good idea at what business is going on.
Perhaps we can't prevent hackers, but this should be sufficient to know if a hack occurred. Of course, all software should be open source, so we can continue to make it more secure.
I think it's more secure than what is available today because today, I can't look at what is on public record as my vote. If someone changed it after I cast it... I'd never know.
If I knew someone would use it, i'd write the software.
Electronic voting is an entire field of research. As with cryptography, do not come up with your own methods.
Here are some problems with your method: allows coercion (is not receipt-free), violates vote secrecy (attacker can just force voter to reveal password), allows ballot stuffing, allows partial results (no voting under equal circumstances), probably completely relies on server for "security" of passwords, salted hashing orly?, hash tied to voter by timing info, ...
There are voting schemes (the more sophisticated ones are cryptographic, but interestingly there are non-cryptographic voting schemes like Punchscan that have interesting properties) that address these. But it gets fairly complicated fairly quickly, and at some point normal voters won't be able to make sense of them. The cryptographic voting schemes also tend to get computationally unwieldy, e.g. by requiring huge mixnets.
Using interactive proofs you can know that the machine won't modify your vote, and using zero-knowledge proofs plus a distributed key you can decrypt and randomize, being certain that votes haven't been lost and without revealing whom people voted for.
Additionally with a public ledger like the blockchain, you can be certain that your vote is there (checking your signature), and when votes were cast.
Using something like colored coins you can ensure that no additional votes are created.
The problem that I do see with remote voting is that I could be right next to you when you vote and coerce you to vote for the person that I want
Natanael_L I just skimmed through it but will read it later today. I worked on a prototype earlier this year implementing the blockchain part, not secure yet, specially it doesn't implement the end-to-end encryption. Anyhow you can read about it here and there is a link to the video of the prototype https://medium.com/@jagbolanos/votosocial-org-towards-an-e-v...
Well we already have mail-in voting and coercion could happen at some shadier physical locations.
Would it be possible to add another vote that invalidates the first, but preserves anonymity? Then there's no guarantee that someone doesn't just revote.
You could make it anonymous - the unique combination of your vote, your key, and the election blockchain could produce a password unique to you. This would allow you to verify that your vote was counted, but would not allow anyone else to do so - if they coerced you, you could run your key, the blockchain, and the opposite vote and produce a different password and your attacker would be none the wiser.
But then if you find that your password has changed, how do you prove it? I don't think there's any way to prove election fraud without violating election confidentiality, even for paper ballots. How do you propose stopping election fraud with paper ballots? The current defense is merely "it is hard."
In the end of the day, my vote is signed, and any of the bailout checkers can discover who I voted for. Also, I can not total the votes and verify their result.
There are electronic means if you're a crypto-nerd, but for the general public, paper ballots suit. You know your vote is marked to your preference when you put it in the box, and no-one can make you prove it one way or the other. You should also be able to stick around (or get someone to stick around for you) and confirm that the box you used is included in the counting, should you desire to.
I've been talking with people involved in elections in Honduras and they explained a technique that is normally used for paper ballots. It's called "La Cadena" (the chain) and it works like this.
A person goes to the voting center and gets a ballot
That person goes to the booth and marks the ballot
That person skips entering their ballot and goes out
Shows the ballot to the coercer, verifying the vote
The coercer gives the ballot to the next person
The next person gets another ballot and has the previous one hidden.
That person introduces the new ballot, hides the old one and goes out.
And the chain goes on.
Apparently it's a common way to coerce votes in low income urban areas and rural areas. You only need distraction or complicity from a person from the voting table and it's hard to detect.
Another common issue is vote stuffing.
On the philosophical part, it is in the end a human problem, but with technology at least you should reduce the possibility of cheating
An interesting tactic, but that kind of coercion would also work with online voting - standover men forcing you to vote on their computer, where they can see and track you. I imagine this would be particularly effective in poorer areas with less access to computers.
Complicity is always going to be hard to work around (it's the primary fault vector of electronic voting), but it seems 'the chain' wouldn't be too difficult to detect - the standover men would have to farm the ballots from the outgoing people and get them back into the line going in (but again, complicity to look the other way...)
Vote stuffing is easy to workaround - have the ballot papers custom-marked as they're handed out.
> technology at least you should reduce the possibility of cheating
Technology also opens up lots of new avenues for cheating. It also has the problem of not being understandable by the layperson if they have to manage it in any way at all.
It's also trivially easy to defeat this. Here in Canada, your ballot has a counterfoil with a number on it. That number is only removed immediately before you deposit your vote into the ballot box. This ensures that the ballot you deposit is the same one you were given by the polling clerk.
Electronic voting of any kind is dangerous, it's amazing how much trust is used in any voting but how little can be afford when it's electronic (online or in person machine based).
Are you saying you would be able to look and see what you voted for or just a hash of your vote? One important part of a secret ballot is that you can't sell your vote OR prove who or what exactly you voted for. (This is prevented by vote-by-mail ballots which could theoretically be sold, but it's worth considering for future systems.)
There's an important property of democratic voting that you're missing: Not only Computer Science PhDs with cryptography experience should be sure their votes aren't manipulated, everyone needs to be.
Stops Secrecy in Vote Tabulation: OVC has a team of scientists ready to program computer software for voting machines and electoral tabulation that would be publicly owned or open source. Open source software could be checked by any party or group by hiring a capable computer programmer.
Provides Paper Trail: The OVC recommended procedure for tabulating elections relies on a paper ballot that is then fed through a scanner into a locked ballot box so that all originals are saved in case of the need for a recount or audit (See Sample Ballot).
Scientifically Verifiable: In addition to open source voting machine and tabulation software, the Open Voting Consortium is also working on a database checklist for standard practices in vote tabulation that would assure transparency and accountability. Some aspects of the OVC concept will soon be enfolded into California legislation.
Saves Money: Typical voting machines cost between $2,000 and $3,000, but OVC open source software could be run on any personal computer (PC) and ballots could be printed on a normal printer. OVC envisions PCs with tamper-proof cases as the new voting terminals at a savings of hundreds or thousands of dollars per terminal.(See page on OVC Cost Analysis).
Interesting. I'm no subject expert so I can't critique this, but it sounds better than other online voting systems I've heard. I like the checks and balances in place too.
Now I only skimmed this article, but I feel like most people who argue against online voting use arguments about how insecure it is that already apply to what's happening right now (voting software is a black box, can be hacked, etc etc, this also describes current voting machines). The only difference is there isn't a single voting db or site somewhere for people to manipulate a large number of votes (which like you said is protected as long as people can verify the open software / data).
Yes paper does have indelible properties but paper doesn't scale well, and having a paper counting machine introduces the same black box that people use as argument against current voting machines. Yes security is an issue, but scalability is also an issue.
Not convinced that in an age where I can buy a plane ticket for thousands of dollars, where we are thinking of sending people to Mars and I can securely communicate with people, in age where Edward Snowden is able to send private documents or whatev, and I have computers on my wrist, pocket and dick, I have to go to a physical place, stand in a queue and draw on a piece of paper to cast a ballot.
I've been hearing these complaints for years now, I don't buy it. It's a problem, solve it. Start from here - everyone has a digital signature or certificate or another mumbo-math-jumbo, the system for collecting votes is open source. You have an account at the web service and you can see that your vote has been cast for that candidate that you wished, so who watches the watchers - everybody. Pick two authorities - one counts votes, other distribute keys. One gets a summary of votes only, the other has the mapping of key-person.
Sure there are problems. But it sounds to me like laziness and lame excuses.
With all due respect, buying plane tickets and voting are quite different processes; when buying a ticket, everybody has an interest in knowing WHO you are, being able to connect your ticket with your credit card and whatnot.
When you vote, we're very interested in NOT being able to connect you with your vote - heck, in some countries it can even be dangerous if the powers that be find out what you voted. (The results being rigged to ensure they remain in power does not mean there's no interest in finding out who the opposition are!)
Also, we would like to be reasonably sure that you voted as you wished and that you were not under pressure to vote one way or the other; this, too, is much easier to keep under control if you have to go to a dedicated location to vote, rather than just clicking a few buttons on a computer in your home.
And, obviously, we'd like to be reasonably certain that the votes have not been tampered with after they were cast; one of the major benefits of paper ballots is that they do require quite some effort to manipulate after the fact - ballot stuffing is a lot easier if all you have to do is add entries to a database.
My preferred voting mechanism would be a hybrid - you go to a designated voting station, where you find a machine in the booth. The machine lets you choose whatever list or candidate you wish to support, then after you've confirmed your selection, it adds your vote to a tally AND prints a paper receipt, which is then deposited in a ballot box. This receipt shows your choice in plain text.
Now, you have the best of both worlds - the machines can give a (preliminary) result the second the ballot stations close; if anyone wants to contest the vote, there's no need to resort to computer forensics to decide whether the data may have been tampered with - simply count the ballots like we've done for the past few hundred years.
Wow. The bitter part is that I googled and found that I first suggested something like this in 2007, three years after Schneier. (It would have felt great to claim that 'Bruce Schneier later formed a similar opinion.')
Heck, it is even possible that I merely parroted Schneier's idea; I do read him on occasion, but not as often as I should!
Give me a way to permit online voting but also be sure that the person who is voting was not coerced. I think you'll find that this is impossible.
At least with a polling booth, even if the voter is being coerced, it is difficult for the coercer to verify which way the voter voted. One might come up with ways to surveil the booth (whether in general or through the coerced voter), but at least we have a chance at detecting this.
It's not difficult at all to verify - just insist that the person being coerced take a selfie with the ballot. I'm told this has already been implemented by communist terrorists in India, though I can't find any English language sources.
I think a big chunk of the opposition to electronic voting by techies is simply a failure to recognize that physical systems can also be hacked. Which is of course silly - the only time I voted, I did so fraudulently.
(The lack of voter ID laws in NJ made it very easy. To prove a point to a friend that voter ID laws allowed fraud, I voted as my friend. Then he voted as me. I won the bet.)
We've got a simple way to defeat this particular attack in Norway - the ballots are in the booth. You can take a dozen if you like.
Electoral workers inspect the booth regularly to make sure all parties' ballots are available.
If you cannot find a particular party's ballot, you are encouraged to take the remainder of another couple of ballots (So that you won't have to walk over to staff, asking them to provide more ballots for party X), leave the booth, bin the ballots and ask staff to refill the booth with all valid ballots.
Once you leave the booth (which is right in front of the electoral clerks), you head over to the desk with the voter register, your identity is confirmed against the register and then your (folded) ballot is stamped, immediately after which you put it in the ballot box. Only ballots with a stamp on them are counted, eliminating the risk that someone would (quite literally) go ballot stuffing by folding several ballots and trying to get them put in the ballot box; only the stamped one counts, anyway.
Did you not read my post? "One might come up with ways to surveil the booth (whether in general or through the coerced voter), but at least we have a chance at detecting this."
We have a chance at detecting purely electronic hackers also. For example, hackers made 574 attempts to connect to one of my servers as root since the logfiles were rotated.
This idea that physical is somehow categorically better than electronic is just magical thinking.
Let's say I'm an abusive husband. If my wife has the choice of voting online, I can force her to choose online voting, make her vote at home and in front of me, and nobody has any way of detecting my coercion. If my wife has no choice but to go to a polling booth, election observers absolutely do have a chance of detecting my coercion.
> This idea that physical is somehow categorically better than electronic is just magical thinking.
No, it's a demonstrable fact. You have created an "electronic hacker" strawman here. The problem I am raising is that of coercion, not a man in the middle. You have not been able to provide any means of mitigating it when not using a physical polling booth.
Problems such as "electronic hackers" are only problems on top of the problem of vote coercion, which is clearly made much worse with any ballot system that does not use physical polling booths.
You won't go very far by tampering with a single vote. Try coercing with 10 thousand people, and see how easily you are tracked.
The benefit of online votes is that coercion and data stealing are the only flaws we must take care of. Instead of this huge structure trying to cover for all the flaws of paper, we can focus on those two well specified ones.
Again, let me point out communist terrorists have already hacked this. Selfie in the voting booth. "Chance of detection" is just an assumption that some magic occurs because things are physical.
Your hack also works for absentee voting, which we already have. Do you propose eliminating that as well?
The good thing about physical is that it demands much more effort to tamper with results.
Also, the mechanisms we put in place to prevent tampering are easily understood by just about anyone, not just people with CS degrees - which lends credibility to the process, which I find to be a benefit.
This is already accounted for in many voting systems. You can either get a new ballot after you take the picture as "proof", or as a last resort you can spoil your ballot.
Online voting is a complex problem, and goes counter to all other online systems we have. No other system guarantees strong anonymity, strong verification and strong access control at the same time.
Why exactly is it a problem? Why not just vote by red-pencil?
Obviously there is a small drawback of it taking a bit more time.
Then again, one important feature of a voting booth is that you cannot proof your own vote. This is important because it prevents selling votes or blackmail, and seems impossible with any online voting system.
If you do not have the time to go to a physical place and stand in line, then you are lazy. If you are lazy in the first place, then I doubt that you have real political interest in the second place, which means you will do uniformed decisions anyhow.
Political decision making needs some burden. You need to take your time. It not a decision do you want a Burrito or a Pizza for tonight.
Is the hardware open-sourced, too? It should, there are known back-doors in many hardware nowadays (not talking about the unknown).
Plane ticket, electronic banking, etc. - they have an immediate feedback that corrects mistakes (or worse, attacks), elections should not have such feedback, because one should not be able to prove how they voted afterwards (because of buying votes or coercion to vote in family, workplace, church, etc.)
How do you "see" that you have voted for your choice? Because you monitor tells you so?
Maybe let you start with your queuing problem (I have never waited in one to vote and do not even know personally anyone to do so).
"How do you "see" that you have voted for your choice? Because you monitor tells you so?"
Blockchain-like technology can do that for you.
(Not evertbody will have enough determination to actually do the checking, but some people will, and they'll alert general populace if something goes weird)
I kind of agree. Some of the technical issues do seem like good points to think about, but a lot of the issues raised here (eg, coercion and the lack of anonymity) would also be applicable to ballot by mail / absentee ballots. Many nations have had ballot by mail for a while. Although there's been some fraud issues, I'm not aware of extensive fraud / anonymity problems. Certainly not to the point where the phrase "danger to democracy" is applicable.
Actually I would think electronic voting could be made more secure and less fraud-prone than ballot by mail, to be honest.
At best, we have achieved this with major caveats such as:
a) Only if your device is not compromised
b) You trust a CA to verify the identity of the remote host
c) You trust whatever cert/key you see the first time for a given entity
Even in your proposed solution you have replaced one hard problem (voting) with another (key distribution & mgmt) and completely ignored people's desire for elections to have certain other properties (anonymous, uncoerced).
Any solution that begins with "Everyone has..." is going to raise the question of cost. What's that rule that some systems which attempt to achieve 100% coverage will approach infinite cost?
Travelers pay a high price for the complex air travel reservation system we have now. Poor people don't fly on airplanes, but poor people will have to vote.
Maybe OT, but why is one of the requirements for a better voting system "anonymous"? What's wrong with a voting system in which every citizen's vote is transparent and available? Seems like it would be much less susceptible to fraud and easier to audit that way. I don't see a problem with anyone seeing how I voted!
As a special case of this, one might see the mild "coercion" in simply being uncomfortable with going against the grain by voting for something that others strongly dislike.
I'm not going to claim that "current" electronic voting machines are good, but the article makes no convincing arguments beyond an "I am a computer scientist" appeal to authority that it "couldn't" work. Honestly if you are going to talk about the problems involved in voting at least discuss some of the interesting anonymity preserving and deniable cryptographic techniques people have come up with- ring signatures, blockchain verification, etc. Maybe he's just assuming the powers that be would never let an actual trustless system get into play. If I can manage and view my money trustlessly with, e.g., bitcoin (and verify all transactions back to the original block) then there is no reason I shouldn't be able to do the same for votes - and verify all votes back to the original block.
Online voting is quite different from electronic voting machines. I've heard it being referred to as i-voting (online) vs e-voting (electronic voting machines).
In fact, online voting is such a dangerous idea that computer scientists and security experts are nearly unanimous in opposition to it.
I hate when articles make these ridiculous claims in order to inflate their credibility. Are there problems the security community needs to address before using technology to vote in a democracy? Yes. Is online voting a danger to democracy? No, but there are bigger problems that need to be solved before online voting should be implemented.
Point: I just tried to temporarily remove a freeze on my credit report after the Office of Personal Management (aka, the office for federal employees) lost all of my PII in a large-scale hack that occurred more than a year ago. For those of you interested, all of my credit is essentially frozen indefinitely as a result of this hack. Now, in order for me to validate my own identity, I had to reproduce (sometimes unsuccessfully) a series of data points that anyone with a hard copy of my credit report combined with my OPM breached data could reproduce. The real issue is the fallacy that a human being is uniquely identified by a set of data points (paper or otherwise). This is fundamentally the issue that must be overcome before we can breach issues like online voting reliably. We continue to create systems based on this fallacy of personal identification, and it is creating more problems than it is solving. Again, paper or otherwise.
Coming to a future near you -- "Whole Gene Sequencing Attestation: What better to prove you're you, than you? Come by one of labs today to refresh your ID token!"
I always thought a large cipher blockchain would be a pretty good idea. One could argue that "analogue" voting also has many vulnerabilities in the voting stack.
Ultimately, is paper the gold standard we should stick to?
Nope. Come to India and watch how voting machines are used efficiently in almost all elections, from local bodies to Lok Sabha elections.
No party has dominated elections in India over the years since the EVM has been introduced. The Election Commission is the autonomous authority responsible for conducting all elections in India and there has been no information of corruptions regarding them till now.
this is pretty sad coming from stanford. With blockchain tech online voting is now more safe than ever if we just push for it. Wouldn't want to fix those rigged elections now would we?
This article is ludicrous. Some of his proposed scams are so risky that are borderline childish. E.g.: massive phishing; in recent Canadian elections the Conservative Party tried something similar (search "Robocall scandal Canada") and got caught easily.
Truth is: online shopping & banking are way more profitable for hackers and, still, are very secure nowadays.
B.T.W.: the touchscreens the author despises so much are an huge success in Brazilian elections.
The current issue of consumer Reports magazine has an editorial arguing for online voting. They are very well thought-of. If you think it is a bad idea (I do), you might hope to have some effect by writing the editor (I did). http://www.consumerreports.org/cro/about-us/contact-us/index...
Yes, the problem with societies is the security of their voting mechanisms.
Physical ballots are manipulated and forged all the time. Doing it online just dispenses with the pretense of legitimacy altogether.
In the majority of elections, voting is an empty ritual that dresses up a transfer of power that was already decided among a tiny minority of essential power brokers.
Voting should be done online if onlyso that people will stop believing the fairy tales it facilitates.
Anibal Fernandez, who was a candidate for governor of the province of Buenos Aires by the political party of the former President, Cristina Fernandez de Kirchner, he spotted going out with his jacket full of voting ballots from opposition party of current President Mauricio Macri. He (Hannibal) and other party Kirchner used this practice so that people could not vote the opposition.
I do think online voting is not a technology question and discussing implementation details is a red herring / bike shedding situation.
I see no incentive in disrupting the status quo and engaging more people in politics from the POV of the current ruling powers benefiting, yet there is a slippery slope argument for more decentralized/direct governing and less powermongering further down the road.
"We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too."
i do not think these concerns are legitimate any longer. if internet security was impossible then my bank account (along with others) would have been hacked long ago. everybody banks online. this is just conservative backlash. the real problem with elections is that a lot of people do not bother to vote, which put the legitimacy of the elections into question. online elections can help solve that.
When a bank is hacked, millions of dollars go missing. Police is called in, investigations are launched.
When an election is hacked, a plausible candidate gets some extra votes in their favor, tipping the election. Billions of dollars get spent on dubious but not technically illegal contracts. People shrug and say "Well I didn't vote for them."
I'm sure an rigged electronic election would leave traces like any crime, but there is no smoking gun and no body. If done right you would have little basis to demand an investigation.
Not voting is perfectly legitimate choice for a voter. Also, deciding who to vote for is hard decision to make if you are not that much into politics.
I would rather have people staying home than casting random votes based on their emotions, or who they happened to see on billboard on their way to voting point.
Voting should be a conscious effort, so making it too easy to vote is counterproductive.
> Computers are very complicated things and there’s no way with any reasonable amount of resources that you can guarantee that the software and hardware are bug-free and that they haven’t been maliciously attacked.
Yeah, except that we have reliable open-source systems available now where every single decentralized transaction is known to everyone, such as Bitcoin. Thanks for the ignorant FUD, though
Um, I don't think there is much legitimacy of elections right now. How the fuck did Trump buy his way into the Republican party for one? Do I really think my vote counts right now?
"Online voting could threaten the fundamental legitimacy of elections?"
The author does have some valid points, I just thought it was funny that some people think our elections are legitimate.
The key claim is: there’s no way with any reasonable amount of resources that you can guarantee that the software and hardware are bug-free and that they haven’t been maliciously attacked
The same could be said about other electronic systems that already govern lives, like planes, cars, phones and medical equipment.
Except half the country is not doing everything possible to bring every plane under their control. With the the other half trying to resit with little regard for the safety of the passengers. Security and transparency is far more important when humans are in conflict.
I see that the majority (or a large portion) of voters are fanatics that vote based on affiliation and fanaticism, not policies nor experience.
Ie. The voting numbers are largely biased towards the political fanatic crowd.
I see online voting as a way to increase the number of ordinary people that vote. Getting the voting population to 80%+ or more is good for democracy. I see this as a positive.
Saying Online voting is a danger to democracy is like saying autonomous cars are a danger to safety.
Yes, if the autonomous system doesn't work and is made with loopholes that allow dangerous stuff, it will pose a danger. But if made to work fail-proof, it will be infinitely better.
There's no point in saying something will not work if your only argument is based on the proposition that it's going to be broken before it's even used.
Sure, an unsafe car is not safe. The only way to make it safe is to make sure it's safe.
The only way "democratic" online voting will work is to make sure it's "democratic".