Physical collection is risky, but we can mitigate the risks.
I can't speak to the US system, but here in New Zealand every political party is entitled to appoint scrutineers to each polling place. They cannot speak or interact with anyone but they watch the whole process from checking voter entitlement, through transporting the ballots and then counting.
The idea is each party distrusts the others so won't let them get away with rigging the ballot. Mutual distrust produces a trustworthy outcome.
Election administration is by state in the US. To my knowledge, every US state except for West Virginia allows some form of "observer" or "challenger" (or sometimes both with different purposes), often appointed by either political parties or candidates. It's a bit of a patchwork from state to state, but yes, in general, there is a system of interested persons observing the polling place.
(In this state, observers and challengers are different, with challengers specifically serving the purpose of challenging individuals that may not actually be qualified to vote. Since the pollbooks are electronic today challengers are rarely seen, they were generally only able to challenge clerical errors that are no longer seen with computer pollbooks)
Electronic votes can be checked statistically after-the-fact through audits, but that's about it.
It's mind-boggling we don't do that already -- most voting districts would need only a few random ballots, and you can gradually increase your sample size and check again before needing to trigger a full recount.
This seems overly simplistic. Both have ridiculously tough to harden attack vectors.
In physical, it isn't enough to protect where the votes are done. They have to be transported back and ultimately counted somewhere. At any point in that process, they are vulnerable. No?
>In physical, it isn't enough to protect where the votes are done. They have to be transported back and ultimately counted somewhere.
No, they don't. At least in my country they are counted in place.
All the observers sit next to the ballot for the whole process, and when the voting ends, the box is opened and the votes are counted. The observers being several people appointed at random (like a jury) to check vote credentials and count the votes at the end + appointed representatives from each party present.
Everything is recorded on paper, the votes are stamped and kept, and the tally is then reported for that voting district.
Even if the people appointed at random wanted to tamper, they'd have to work all together + get the party representatives to agree with it, because it all happens in the open, ("reading vote #N, says party X, do we agree it says party X? (shows the vote around) registering vote #N for party X (people look as the vote is recorded, two people sign next to the vote's registration)).
Usually after the ballots are closed (election ends), it takes 5-10 hours for those people to count all the votes for a district. Then the number is announced. All country districts are announced publicly, so any individual party representative or "jury" member of any district can challenge if the numbers announced (and used for the final country-wide tally) are not accurate.
They are not allowed to leave the room, and there's also a policeman present outside.
I've been an "Election Judge" twice in Chicago. I administered my polling location twice. After voting ends, we physically collect the votes and transport them by our own vehicles to a polling location to be counted.
Which proves that "votes have to be transported to be counted" is not some inevitable byproduct of the paper-voting process as the parent made it sound like.
So, how many agents are we talking about here? How are they counted at the location you too them to? Two easy targets to identify.
I'm not claiming they are impossible to harden. Just not as easy as people are claiming. And super expensive. Such that if you were truly intent to defrauds place, you would focus on poor sections first.
And our best method of defense is probably our extensive polling tests nowadays. The more we have, the more corroborating evidence we have to an outcome. This protects both forms of counting.
Vulnerable to what, though? Physically changing votes takes time, and swapping them leaves a paper trail. If someone miscounts paper votes, you can just recount them.
With a computer, you flip a bit and there's no record. Votes are miscounted? Tough, those numbers are a real as any other numbers. And how much time does it take to swap a vote? Less than a microsecond?
But then do we understand as well how physical data works, what's the actual shortcomings etc. ?
Personaly I don't think I do, yet even at my personal level I have anecdotes of ink just fading out of paper, or countless of widespread voting frauds from decades ago.
I have the feeling we are putting paper and physical media handling to a higher standard because we don't know as much about it.
Yes. Physical data is well understood. Inks fade, so you use a different formula and keep it out of the light as much as possible. Inks use chemicals, so even if it’s not visible you can still see where the writing was done, inks are pressed into the paper and change the physical structure of the paper in the process.
It takes a concerted effort to change paper ballots.
The issue is not physical data though. We are talking about a voting system, with agents, suppliers, observers, ballots and people handling them.
For instance some paper elections in Africa have crazy high voter prticipation when not so many people showed up.
That’s an extreme and we could point the finger at blatant corruption. We’re not at these extremes, but where are we on the spectrum?
For instance we don’t have any clear idea of how much corruption we have, to the point that “perceived corruption” is the best approximation.
What I’m going at is, to evaluate how much trust we put in an electronic voting system, we’d need better views at the current system than “paper is better because it’s physical” (that’s not your argument, I take a less nuanced position as example)
It's so bad that Diebold had to spin off and rebrand their voting machine division, out of fear that security and reliability issues with the EVMs would tarnish their main ATM business.
Same in Italy, each party can have one person observing proceedings. There used to be tons of parties, hence there were lots of eyes around. The better-organised parties also tracked in realtime whether their sympathizers had actually voted, seat by seat, and could send messages through relays to hurry them to the booth. Before computers, journalists typically relied on the major parties to have the first results, well before they were officially declared.
This has changed in modern times, as a number of parties disappeared after electoral reforms; and the risk of tampering and shenanigans has increased substantially.
Also on this point, we know the large silent majority is made up mostly of moderates who want to live in a civilised democratic country where the government either leaves everyone alone or have a mass benevolent impact.
As long as attacks don't scale it seems safe to assume corruption will be localised and the integrity of the system will hold. The risk is that IT is used to centralise democracy to bring down costs, then becomes compromised in an unrelated attack.
This is essentially how the Directory managed to maintain power during the French Revolution when their party was set to lose a popular election in 1798. In departments where the Directory was expected to do especially poorly, they engineered electoral irregularities ahead of the vote that could then be used to invalidate the results. This became known as the Coup of 22 Floréal.
> Here’s a unique idea: if you want to influence elections, tamper with tamper-evident stickers to get votes from an unfriendly district thrown out.
Because you don't automatically throw out votes even if the seal is tampered.
You have other means of cross-verifying authenticity. You can look at the voter roll signatures to see if the vote totals match. You can do statistical analysis versus the expectation and look for anomalies. You can ask observers if they saw anything untoward. etc.
Paper is secure NOT because it is untamperable. Paper is secure because we can bury it a whole host of interlocking cross-checks--of which tamper seals is one of.
And paper is nice cause lay people can easily understand and verify the system.
How do you prove that an electric system wasn't tampered with? How do you verify the voting machines actually run the verified code? How do you verify that some sub-component didn't hack the RAM?
Winning an election is too valuable and the risks to myriad for me to ever trust electronic voting. Especially as as you mentioned tampering with paper on a large scale will likely leak something went wrong, whereas electronic tampering might never be discovered and can be accomplished at large scale.
To me, the problem with electronic voting seems to be that in order to trust the system, it is hard to avoid giving up anonymity.
Consider for example using blockchain for this. Every eligible citizen gets a "VoteCoin" from the voting officials and deposits it in the official "VoteWallet" of their party of choice. At some cutoff point no more transactions are allowed or considered.
Each voter could verify that their vote went to the right party, and the voting officials could easily verify the votes (no unknown VoteCoins for example).
However now everyone knows which party else everyone voted for...
In general the issue seems to be that if someone voting uses an electronic system they cannot rely on what that system reports back to them. It could be hacked to show whatever. And in order to remain anonymous the person voting has to be the one that verifies that their vote went to the right party.
Is that really what happens? I would hope that if enough votes to come within a margin of error of changing the outcome were thrown out, the ballots would be re-cast. Or is there enough anonymity to make that impossible?
This is absolutely doable, and is really the logic behind most current physical election security procedures. Procedures are designed less to prevent tampering than to make tampering obvious. Re-voting can theoretically be done, because (public, real-time) records are kept of who voted at a particular polling place, not counting provisional ballots - look outside for a "street index" at your polling place.
(Source: am volunteering for the second time working the physical polls.)
I'd guess that repeating a vote favours whichever party has a particular demographic (younger?, less employed??) or whichever is better funded (to encourage/assist getting to polls) that subsequent votes get less and less attendees?
So, forcing a revote might be a way to swing a marginal seat in your favour.
They absolutely can be: see https://www.archives.gov/federal-register/electoral-college/..., specifically the section of the US code that speaks to "Failure to make choice on prescribed day" and "Determination of controversy as to appointment of electors". Basically - if for any reason a state can't pick electors on election day, it can do so afterwards by whatever (constitutional) method it desires; and if there's a disputed election and a state has a (pre-election) law enacted for deciding controversies that law just has to come to a decision within 6 days before the electors meet.
The physical collection box is generally (always?) out in the open so tampering would be obvious. Even with electronic voting machines it is rare to get enough privacy to hide attempting to tamper with the back of the machine like this article discusses. Voting machines without a user verifiable paper trail are certainly a problem, but they pose a much lower risk to the health of our democracy than other issues like what is currently happening in Georgia.
The major concern surrounding voting machine or ballot tampering is usually at early voting locations, since there it is typical to leave the ballot boxes and/or voting machines unattended overnight. The state I'm a poll worker in does have reasonable additional precautionary measures, such as printing and retaining daily open and close reports from the digital tabulators to guard against overnight ballot stuffing, but this does present an opportunity to do something like tampering with the machine so that it incorrectly tabulates future ballots.
Not really an easy attack but still a possible one, and these machines have not established a strong reputation for protection against something like a firmware implant
This state uses and retains paper ballots, so it would be yet more difficult to design an attack that would withstand an audit of the paper ballots. But some states don't...
> Even with electronic voting machines it is rare to get enough privacy to hide attempting to tamper with the back of the machine like this article discusses.
An electronic voting machine could be tampered with well ahead of voting day. Verification hashes and the like are only aggregates that are open to trickery on the way to the humans checking them, the ground truth is impossible for a human to process. We cannot sense the state of a computer without its help. In contrast to this, the initial emptiness of a physical ballot box is very much in the realm of human senses, it's perfectly safe to leave them unattended until voting starts.
Because i don't think you are going to just not count people's votes if the entire voting district is believed to have been compromised.
I don't know what the procedure/ or law would be but being that they know who voted i would think there would be some sort of attempt to allow them to revote.
These flaws are likely intentional. In a global marketplace, the current regimes in power are the ones making the purchasing decisions of what machines to use to run the next election.
Machines that can be readily tampered with and reprogrammed in undetectable ways likely sell better under the assumption leaders would rather stay in power and have ceremonious democracy than risk being ousted or overthrown.
Regardless, if someone was upstanding and wanted to run a fair election with the machines, they can do that as well. Ones that can be altered, preferably only by the election committee to change an election without getting caught, is likely a highly sought after device.
That's likely why we keep finding them over and over again. Every few months another trivial exploit that a fairly incompetent people could discover is found on yet another device.
No receipts, audits, paper trail or any verification ... just a bunch of readily reprogrammable devices that anyone with a USB stick or an sd card or the edge of a housekey could use to change the votes however they please. Again and again and again.
Indeed, the US presidential election is a joke on various levels.
1. The president is not picked based on the people’s vote. The US is a republic, not a democracy, where government officials cast the deciding votes.
2. The voting infrastructure can be easily tampered with, likely by design as pointed out above.
3. There is no limits on campaign spending, enabling billionaires and corporations to own the winning candidates that got the most airtime.
4. Two private entities have a duopoly on the presidency. They’ve established rules that prevent any new parties from serious consideration.
5. As surfaced by the Wikileaks DNC dump, at least one (if not both) of these parties actively sabotage some of their candidates to ensure the party’s pick a spot in the final national election.
> The president is not picked based on the people’s vote
Yes, the US President is. It's not a straight referendum but that doesn't mean it's not based on people's votes.
> The US is a republic, not a democracy
It's both.
> where government officials cast the deciding votes
No they don't.
> The voting infrastructure can be easily tampered with
The machines appear to be. That's quite a way from saying that the infrastructure is. That would require the tampering to be easily achievable. There's little evidence of that.
> There is no limits on campaign spending
Yes there are. They're not very effective but they exist.
> Two private entities have a duopoly on the presidency
Effectively yes.
> to ensure the party’s pick a spot in the final national election
This would be way more convincing if Trump wasn't the President. He clearly wasn't the pick of the Republicans establishment. Or anywhere near. If anything, his election shows that the parties don't have the control that they'd like you to think they have.
The US presidential elections are far from a joke. Not perfect by any means but internationally important events and, in historic terms, beacons of democracy. And in case it need saying, I'm not American and have no interest in being American.
> Bernhard was able to order two other types of election seals listed on the Michigan website, as well as several paper seals, tamper-evident stickers, and election certificates through Election Source.
Is that a form of leaving your wifi open so you have plausible deniability later?
so, a little bit more about these seals. I am an engine mechanic for a small chain of truck stops, and what the seal appears to be is an old style Cambridge MPT series truck trailer seal.
It would be easy to mistakenly use these if you werent 'in the loop' as far as cargo shipping is concerned because theyre cheap and nobody in your wheelhouse complained about them. The problem is they are brittle, weather poorly, and as evidenced can easily be bypassed by shimming. Every MPT style seal can be bypassed with a soda bottle or pop can AFAIK.
the trucking industry has moved away from them for chain-of-custody purposes. What the voting machines should be using is the Cambridge PTS series or similar. Not only does it reveal tampering, but even tampering attempts will cause the plastic to turn white/red from stress.
if you really wanted to knock it out of the park: CT-PAT Bolt seals. in vitro locking with spin protection and ISO certified. These can get pricy though, and require bolt cutters to open when necessary.
So every attempt to improve on physical paper ballots and manual counting seems doomed to fail. I'm not surprised having seen how secure most secure IT turns out to be.
How can we either a) learn to stop fixing it as it seems quite far from broken, or b) achieve something that's actually an improvement?
I agree with your first sentence. We don't yet know how to make an IT-based voting system that is as secure as paper ballots.
Paper ballots have attack surfaces, to be sure. It's just that they don't scale well, and that greatly limits the damage.
I really don't need to know the vote count 9 µsec after the polls close. I really do need to know the vote count is accurate or can be audited if need be.
> voting system that is as secure as paper ballots
I think it's not about security per say. It's more about scrutability. While it may be possible to build a system that is more secure in principle it's a lot harder to build a IT-based voting system that a person from the street can comprehend and scrutinize in a days work.
The same type of seal is used in securing physical ballot boxes (and in fact is used on these digital tabulators to secure their ballot receiver box), so this kind of issue is not unique to electronic voting systems. Paper-based voting also uses a system of seals to ensure integrity.
The difference of course is there are manual observers, usually independent and from the main parties, watching physical ballot boxes while they're "live". Making tampering harder even if the seals are defective.
I'm not sure that this is a useful difference. Physical ballot boxes often sit unattended overnight in the case of early voting centers (and in some cases even in regular voting locations depending on local procedure), and digital tabulators are usually observed at all times that they are unlocked. If anything digital tabulators may be somewhat more secure from this perspective, because they typically require authentication with a cryptographic token (which is held by the presiding judge of the polling location or a similar person) before they will count any ballots. This is a second measure preventing ballot stuffing when unattended as compared to a ballot box without on-site tabulator.
The issue is different for direct-recording electronic (DRE) or "paperless" machines, but this article pertains to digital tabulators that are actually a voting machine and ballot box in one: they scan the ballot and then retain it in a box for later audit. The seals pictured are actually used to secure the ballot box, not on the machine itself which sits on top of the box.
You probably had the same reaction as me: "lol yeah, they're not supposed to be indestructible, silly, just tamper-evident".
Well, bad news there too:
>But a security researcher in Michigan has shown in videos how he can defeat plastic security ties that counties across his state use to protect ballot bags, the cases that store voting machines and the ports that store the memory cards on optical-scan machines—electronic voting machines that record paper ballots scanned into them. He can do so without leaving evidence of tampering. [Emphasis added]
A good point in the comments that you would most likely not have unrestricted access to the back of the tag for the shim as it SHOULD be pulled tight but it still does not appear as secure as one would hope.
Is this a "works as designed" system? Meaning: designed to get exploited...
FTA: "Bernhard, however, said that although voting machines may be locked when they are stored in the county clerk's building, they are left unattended for days at polling places—high school gyms, churches, and community centers—prior to elections. "
They're simply tamper seals. Not padlocks. Payment terminals have the same thing. You're only supposed to detect tampering, there is no way to stop tampering when the system is local. Do Vice not understand this simple principle?
I'm not quite following why you left this comment, when the photograph on the article is of a woman in Michigan literally depositing a paper ballot. The machines discussed are for tabulating paper ballots.
And why are we using machines for tabulating? The number of people available to count ballots scales linearly with the number of votes cast generally...
> The number of people available to count ballots scales linearly with the number of votes cast generally...
Yes, but the amount of work in tabulating with humans, if you have a time bound, scales superlinearly; as you scale out the number of people tabulating initially beyond one, you add coordination overhead, which is superlinear with the number of people coordinated.
Only slightly. Other countries manage to get results the same night as the election despite hand counting. Even with an extra level of management to handle 300m instead of 30m, you would still get it all done in the same time.
What about machine tabulating first and then hand count afterwards as a check? Alternatively any party can ask for a manual recount of individual districts?
> Bernhard, who is an expert witness for election integrity activists in a lawsuit filed in Georgia to force officials to get rid of paperless voting machines used in that state
Because not so long ago, all the tech luminaries were asking "why are you still using paper ballots that take hours to count and are prone to error (both on the part of the voter and the counter)?"
Might have even been as recently as the "hanging chad" debacle in the Bush/Gore recount.
That was never my experience. For example see http://homepage.divms.uiowa.edu/~jones/voting/risks.html for a warning about the insecurity of voting machines before the Bush/Gore recount happened. And even then it was old hat among the knowledgeable. For example there was the Nebraska senatorial election that Chuck Hagel stole in 1996. (He resigned as CEO of ES&S in 1995, and won by a wide margin in 1996 in an election counted by ES&S machines despite being behind by an even wider margin in the polls. The machines did not allow a recount. What do YOU think happened?)
Were lots of people singing about the future? Of course. But lots knew that "put it on a computer" isn't a recipe for accuracy when the people who make the computers have a vested interest in the outcome!
The various Pirate parties that are around are, as far as I know, universally against electronic voting.
So some politicians are against it. And if the most digitally clued-in politicians say it's a shit idea, but the incumbent digitally challenged politicians think it's great, I know who you should trust in the matter.
So what stops someone from tampering with a box of paper ballots and replacing them with their own, anyway?
Honest question, not rethoric. I don't see how paper ballots get any safer than electronic, it just seems to change what's the easiest approach to tampering.
Using both methods to verify one-another sounds decent though.
1: A bunch of people (from both parties and nominally anyone else who feels like showing up) look at the ballot box to confirm that it's a empty cardboard (or whatever) box with no interesting properties. (This part is what's impossible with a voting machine, for obvious reasons.)
2: People watch the box to make sure it's not tampered with as people put their ballots in. (This works to a point with voting machines, although a attacker interacts with a voting machine for much longer than the ~6 sec it takes to drop a paper ballot in a box.)
3: The ballots are taken out and counted, with more watching. Due to physical laws like conservation of mass, it's very hard to make the number of ballots coming out differ from the number that went in, and even changing existing ballots is nontrivial. (Voting machines can silently delete, alter, or add ballots matching arbitrary criteria.)
Also if you try to organize large scale tampering someone will fuck up and you'll realize large scale tampering happened. With electronic voting it might not be obvious.
For paper ballots you can't usually manipulate them ahead of time to record an fraudulent vote, and you need to sneak around with a big box of votes which is just logistically more challenging.
So practically (ethically) speaking, why don’t we see physical ballot collection as equally risky? Is there a good solution?