I shall repeat it like a mantra: voting beeing slow inefficient is a side effect of it’s transparency. You want a voting system were a average voting helper can look at it and say: “There was nothing fishy there, I saw it”. This is because it is about trust and not only about secrecy and security.
Your electronic voting system can be mathematically perfect, but if nobody average can say from the outside that everything is going by the rules and it makes sense, then it is worthless.
This is why paper works so well: it takes not much skill to count it, it has to have a physical place (harder to make it vanish) and everybody can have their eyeballs glued to it, and if something fishy is going on, it is harder to hide from the average voting helper.
Even I as a programmer with some crypto knowledge would never be able to fully gurantee for the integrity of a voting system, because who knows what software version is running out there in the wild, and whom I have to trust on that one.
Paper has no software version and errors in the process can (and are) catched more easily.
Electronic voting is good for decision were power is not involved, or where the outcome doesn’t really matter. I’d rather improve what we have instead of replacing it with a mathematical sound blackbox that everybody can with perfectly rational reasons distrust when the vote went into the wrong direction.
Electronic voting is the classical solution to a nonexistent problem.
Just so the results of voting can be displayed on TV a bit earlier, we are supposed to accept substantial risks to democracy posed by blatantly insecure endpoints, blatantly insecure company infrastructure, insecure network communications and devices (routers, etc.), private companies that often have a track record of insecure and sloppy programming, voting machines that have been shown to be hackable easily (people from CCC and similar groups do that routinely when they get hold of a machine), voting program code that has been improperly audited and/or cannot be verified by the public, flawed patching mechanisms, flawed and insecure operating systems of voting machines, and on and so forth. The list of flaws of electronic voting systems is nearly endless, and, what's worse, there is no mathematical proof that the encryption used in those systems cannot be broken. (There are lots of proofs in cryptography, but almost all of them are based on very strong idealizing assumptions. In the end, only OTPs are provably secure. We do not even have a proof that P!=NP yet.)
> Imagine if we could conduct voting in a day (even in large democracies).
That would be horrible. "direct democracy" does not work (Switzerland is also a representative democracy), practical policy making requires some domain knowledge, patience and the ability to make compromises that the Internet mob could not possibly deliver. People are generally very good at judging the trustworthiness of other people, however, and at being critical about other people (rather themselves). Both traits work well for a representative democracy.
Because the recount was stopped earlier than it could be completed, Bush became President, stopped watching Bin Laden and we got 9/11, then invaded Iraq and Afghanistan and the entire region was heavily destabilized and overrun with Islamic terrorists. The largest geopolitical disaster of the last 50 years with effects as far reaching as Syrian civil war, Libyan anarchy, and millions of refugees and families broken.
"Indeed it has been said that democracy is the worst form of Government except for all those other forms that have been tried from time to time.…"
- Winston Churchil
> Just so the results of voting can be displayed on TV a bit earlier, we are supposed to accept substantial risks to democracy
You already accept the influence of corporate PACs, which arguably are a much bigger threat to democracy. Not saying you should add another vector, (electronic voting), just that the argument that there's a solid democratic system now is not quite true.
> You already accept the influence of corporate PACs
This is leading astray but just to make this clear for anyone looking up this thread later: I do not accept the influence of corporate PACs at all, and believe (but IANAL) that where I live these would be illegal.
A corporate PAC is simply a group of people joining together to create political speech, with the added legal protection of incorporation. The Citizens United case was in direct response to the FEC approving nearly all corporate speech from liberal sources, while stopping conservative versions. Explicitly in the Michael Moore v Citizens United FEC complaints. Nothing changed for liberals voices in Citizens United, only for conservatives. Which is why this is such a polarizing issue as one side lost a hugely unfair advantage.
> Electronic voting is the classical solution to a nonexistent problem.
That is incorrect. Voting is a feedback loop for the will of the voters. The slower the process is, the less representative it is. The fidelity of the loop is paramount, but the issue remains.
EDIT: do the downvoters understand that there is setup involved in a paper process and getting results is not the end of the feedback loop (not race)? SMH
"The slower the process is, the less representative it is"
If we are talking about months perhaps, but as long as a result is known within a day or two (at most) I'm not sure it really makes that much difference.
I don't think I understand what feedback loop we are talking about?
Everyone who wants to be on the ballot registers a few months in advance, which is usually a short enough time. Since people are usually voted into a job they have to do for 4-6 years you don't want hasty decisions anyways.
Getting poll results while the voting stations are open is usually not a desired feature because of how it influences voters.
The delay for counting the votes measures in days, which is a tiny amount in a feedback loop where one iteration takes 4-6 years. Other steps, like forming a government, routinely take an order of magnitude more time in many nations.
> The delay for counting the votes measures in days, which is a tiny amount in a feedback loop where one iteration takes 4-6 years.
I think their argument is precisely that that's too slow of a time to reflect what the voters want and that a faster turnaround time would allow referendums and more of a direct democracy, even when it comes to minor issues, since 'representatives' often don't quite represent.
Such a system does need informed voters, otherwise it opens up to reactionary activism, but that's a whole another debate.
Although the longer counting takes, the more difficult it becomes for a substantial number of people to monitor the entire process. In the UK, counting takes place overnight, immediately after the polls close; it's feasible for multiple parties to ensure they have people at every location for the entire time, keeping an eye out for irregularities.
If the process were extended over a week instead of a night, it becomes correspondingly harder to ensure that there was never an opportunity for someone to tamper.
If that happens digitally (and using correctly distributed crypto signatures), then we can provide the public with the necessary tools to check every single vote.
> and using correctly distributed crypto signatures
you sort of lost me here. I will not say it is a bad idea, but it would never work in any country I know. Thee sheer size and cultural innovation required would still need to place an inordinate amount of trust in the system.
Again, it is not that it is evil, as much as there are so many possible problems for so little gain
(IIRC Estonia has a nice program where you have a state-SIM and you can vote via telephone, so there it actually might work)
>> you sort of lost me here. I will not say it is a bad idea, but it would never work in any country I know.
Bitcoin works this way though. It is a set of tools to manipulate a highly abstract data structure. These tools are developed by a minority of the population, but the rest of the population trusts them.
This works because it has value for the folk.
Now you're speaking about elections. Most of the people speaking of e-elections are _mostly_ trying to get to the public that if you could make the elections work electronically - then there's a bunch of other things that could be done digitally too.
One example - company board voting. What if you could be present at any board meeting because everything that is said over there is cryptographically signed by each party thus providing non-repudiation of whatever they said?
What if every newspaper reporter had to sign their articles with their signature which is linked to a news trust network?
Contract signatures. Inheritance.
This is a reply to your:
>> Again, it is not that it is evil, as much as there are so many possible problems for so little gain
Little gain is only for people who have no idea of what you can do with "digital".
> Voting is a feedback loop for the will of the voters
Why should it go on both direction ? Even if it's true, is it a good thing ? You should change your opinion if you hear good arguments and not because you want to vote like the others.
Did you read the comment you're replying to? Its whole point is that lay people don't understand sophisticated cryptography like homomorphic encryption, which makes it difficult to trust, whereas they do understand and trust paper. A cryptographic paper voting system that required advanced math to understand would have the same legitimacy problem as a cryptographic electronic voting system.
> A cryptographic paper voting system that required advanced math to understand would have the same legitimacy problem as a cryptographic electronic voting system.
No, because it'll still be counted manually by humans. What the cryptographic layer allows you to do is verify that your vote was properly counted or allow a trusted third-party to verify that for you. It doesn't take anything away from the paper voting system but only adds to it. That said, you'd still have to trust the device that generates your tracker, but maybe they've found a way to deal with that.
Paper ballots are vulnerable to systemic voter suppression of the kind that’s hard to eliminate. Voter ID laws. Complicated ballots. Overloaded polling stations. Worst, all these weaknesses are difficult to eliminate because they are both difficult to sincerely debate and difficult to generate the public interest necessary to generate enough activism.
Electronic voting can reduce the friction enough to where we can address these issues with common-sense approaches.
- With electronic voting the identification problem is at least as hard as with paper ballots, so Voter ID is at least as hard (an honestly, I've never heard of any problem of this kind outside of the US)
- Electronic ballots could be simpler than paper ballots, but they can also be a lot more complicated. Under the assumption that voter suppression is taking place we have to assume that the electronic ballot would be more complicated than the paper equivalent
- Electronic voting still requires voting booths, meaning you can still overload polling stations. Voting from home is equivalent to mail voting (already a thing) and has a lot of problems if it's how the majority votes
Also all these problems have common sense solutions already:
- If the nation for some reason doesn't have a ubiquitous national identity system the government should take some of that tax money and hand out free Voter ID cards (perferably delivered by certified mail or similar)
- Designing ballots that are not complicated is a solved problem in most of the Western World
- Have enough polling stations that queue times never exceed 10 minutes. If queues are too long take note to make that polling station bigger in the next election.
Depends if "electronic voting" means "in-person voting at polling stations with existing polling cards and polling booths, but replace paper ballots with touchscreen vote-counting machines" or if it means "Voting by smart phone"
Although there are downsides to vote-by-smartphone, an advocate would argue you should compare it to vote-by-mail rather than vote-in-person, given that almost every election allows vote-by-mail.
Smartphone voting sounds like a recipe for disaster. The fact that votes are cast in private in an otherwise public place is part of what makes the system work. If you let a large number of people vote remotely, you have zero certainty that a) the voters weren't pressured into voting a certain way, say by a domineering parent or b) that the device wasn't compromised.
Personally I agree and am not an advocate of smartphone voting.
However, I can tell you what someone who was an advocate of smartphone voting would say.
To (a) they would say we already allow postal votes, so the pressure/vote-selling is already with us; and furthermore although the pressure/vote-selling is bad for democracy, low turnout and voter suppression like making polling stations hard to access are worse.
To (b) they would say if Apple Pay can be secure, so can online voting. Maybe even more secure! I mean, in my country the ruling party doesn't have enough members to put an activist in each polling station watching the ballot box, even if they worked a 15-hour shift without toilet breaks. So it's not like the current system offers total protection against fraud.
These are mostly solved problems in all western nations (except for the US). E.g. I am Austrian living in Germany and I vote by mail since a decade.
Mail voting has the downside that it invites the kind of problems where some guy tricks elderly people into giving them their vote etc. But all in all it works quite well.
>>> These are mostly solved problems in all western nations (except for the US). E.g. I am Austrian living in Germany and I vote by mail since a decade.
The US has had vote-by-mail for as long as I can remember [0]... So what is an example of a "mostly solved problems in all western nations (except for the US)" other than an example that you posted that is inaccurate?
I'm not arguing that we have solved all election problems, but it's unfair to say we haven't solved something and share a solution that your country has that our country has too. Maybe Austria does something different with their vote-by-mail system than what the US does, if so please share what that is.
The US doesn't have vote-by-mail, we have mail-in absentee ballots and they're intended to be a last resort. You can only request an absentee ballot if you're unable to vote in person. You can't request an absentee ballot simply because it's more convenient.
I'm not sure what state you are in, but that entire statement is not true in the state of FL.
Per the link I cited above as a sample reference to vote-by-mail in the US -
"Vote-by-mail refers to voting a ballot received by mail or picked up by or for a voter instead of going to the polls to vote during early voting period or Election Day. Except on Election Day, no excuse is needed to vote a vote-by-mail ballot (see Who Can Pick Up a Vote-by-Mail Ballot below)."
The key phrase being that last one, "no excuse is needed to vote a vote-by-mail ballot". There is no verbiage about it being a "last resort" and that you can only vote-by-mail if "you're unable to vote in person". The Florida Division of Elections even titles the page "Vote-by-mail".
Went to a conference in 1993 or thereabouts, put on by a now defunct organization called "CPSR" (Computer Professionals for Social Responsibility). I rememeber Phil Zimmerman was a speaker. Anyway, one of the topics was the problem of electronic voting.
The correctness of cryptographic voting systems is determined by their publicly observable behavior, not by their internal implementation. It's the protocol that's secure, not the specific hardware or software implementation. So the attack you're describing doesn't really apply.
But you cannot observe it. You see that someone with a hash X has voted. How do you know whether it was a real person, a real person voting under boss supervision, a real person who actually didn't take part in elections, or just sysadmin inserting records into the database?
- You see the number of records aggregated, it should not exceed the amount of voters
- You can somehow identify your own vote and thus verify it was properly counted
- Everyone else can do the same, thus fraudsters would have to find a protocol weakness to add additional votes
One attack vector might be whatever you use to identify your vote. Aka find a way to make two people think the same record is their own vote, then use the other yourself. This seems like a tricky problem, since everyone shouldn't just be able to see their own vote was included but also not not be able to show others how you voted. The article seems to indicate they solved this somehow, but I'm not familiar enough with the details / homomorphic encryption to understand that or even just trust that specific kind of encryption.
Watch person enter booth with fresh ballot, watch person leave booth with filled ballot, and check to see that person doesn't take pictures of their ballot. Seems pretty clear they voted and their vote can't be influenced.
Though the article is light on details, it does seem to provide for an identical level of verification. I'm more than happy to be corrected if I'm missing something, but it sure sounds like they are proposing an effectively identical verification scheme.
Having a cryptographically secure voting protocol doesn't protect you if the human-computer interface is compromised to alter the votes as they are being entered into the system. You get a code to verify that "your" vote was counted correctly, but because you're not supposed to be able to prove who you voted for to prevent vote-buying, you can't tell that the voting machine has slipped you the wrong code.
It may not be an admissible attack in the model within which protocols are proven secure, but it's still an attack that could affect real-world systems.
Homomorphic cryptography allows you to track your vote without revealing the vote content (who you votes for), but at the same time vote tallying is possible on the encrypted votes in a process that is verifiable.
Of course the trust only comes with understanding of the mathematics.
"publicly observable behavior" is a bit of a misnomer - general public can indeed observe ElectionGuard in action, but it will not know what it sees. Fortunately, Microsoft advocates using paper ballots as a backup.
Also prevent uninterested, lazy, people from voting out of spite.
I know it's unpopular to say, but I don't think it's a bad thing that voting requires personal (strictly personal; no corporation should get in your way) effort.
Because the amount of spare effort people have available is correlated to class, and thus adding more hoops to jump through is yet another way to favor the idle rich over the working poor.
But I also don't see why the first sentence is inherently bad. Why is it good to police what type of people may vote? Why is it good to police the reason for voting?
I agree. I never understood the notion of same-day registration, nor the constant blasting of voting reminders for months before the midterms. Do we really want people who have to be extremely convinced to vote, to vote? Do we really want people who didn't care at all, got convinced by one team the day of, and decided to vote on a whim, to vote? Thus, are the votes from people who had to be reminded on twitter and google to vote, "real" votes? Or were they gamed?
This isn't an electronic voting system. It's a system for verifiable receipts that attach to paper systems.
> ElectionGuard provides a complete implementation of end-to-end verifiable elections. It is designed to work with systems that use paper ballots, supplementing today’s tabulation process by providing a means of public verification of the accuracy of reported results.
This is the most common type of attempt to subvert paper voting. The paper becomes the "recount" which is often challenged in court. See? The numbers match, there is no reason for a hand count.
>The numbers match, there is no reason for a hand count.
The whole point of this scheme is to provide strong evidence for when the numbers won't match. This is an advantage over existing optical scan systems, where a recount requires watching every single paper ballot go into the reader.
Right, but I don't think we should glamorize old-style paper voting either. Yes, it is easier for an observer to spot that something fishy is going on, but it is also easy for authorities to dismiss it as insubstantial. Someone obstructed your view of the ballot box for a few seconds? Sorry, that was an accident. Police evicted you from the poll station? Better behave yourself next time. You saw a blatant incident of fraud and you have hard evidence? Well sure, local officials went a bit over the line, we'll cancel the results of that particular poll station. Our candidate still wins.
My impression from fraud reports from Russian elections is that most fraud occured at the local level (where no one was able to precisely quantify it) and from the point the data was inserted into the centralized database everything was squeaky clean.
So maybe some kind of a centralized panopticon surveillance system that the FAAMG are so fond of is just the right fit for elections.
If it was something that was done at local level, not in conspiracy with central government, then why the investigations in cases of election fraud are so ineffective, and even if the case gets to the court, it typically ends with just a fine? If the central government didn't have relation to the fraud, they would prefer to punish local officials, yet they try to avoid doing it.
Instead, they warn heads of regions that the results of election in their region might affect their evaluation.
Regarding things you have described, they are possible with electronic voting as well. Hashes not matching? You probably made a mistake, verify again, our experts say that everything is correct.
Also, for an average person, seeing a video recording with officials throwing a pack of ballots into the box is easier to understand than some difficult calculations with hashes.
> If it was something that was done at local level, not in conspiracy with central government, then why the investigations in cases of election fraud are so ineffective, and even if the case gets to the court, it typically ends with just a fine? If the central government didn't have relation to the fraud, they would prefer to punish local officials, yet they try to avoid doing it. Instead, they warn heads of regions that the results of election in their region might affect their evaluation.
Maybe I misunderstood your phrasing but that's precisely what enables large-scale fraud. High-ranking officials can maintain plausible deniability by outsourcing fraud to the local level and doing nothing overt themselves. If low-level officials are caught, they suffer token punishment because some semblance of rule of law must be maintained (but punishment cannot be too strict because they were doing what they were supposed to do).
> Regarding things you have described, they are possible with electronic voting as well. Hashes not matching? You probably made a mistake, verify again, our experts say that everything is correct.
Right, but if you have evidence that say 10% of votes are tainted, it is something worth fighting for and going to the streets for. Whereas if all you have is a recording of a handful of ballots thrown into a box at some poll station in rural Yakutia, well who cares about a few 100s of ballots? You can try to string a few of these videos together to provoke an emotional reaction but it will subside quickly as public attention will be redirected to the next outrage du jour.
For the most part, this seems like a pretty reasonable application of homomorphic cryptography to act as an extra voting record. Like others here I think it would need to be secondary to the paper voting record, and I worry that would be hard to enforce forever.
But one line stands out as particularly troubling:
Our sample reference will showcase how people can make their selections at home, where they can easily research their choices, then bring a QR code to the polling place to scan and pre-populate their ballot.
On the one hand, I support the goal of making it easier for people to research and select their choices. But the risk of enabling a "scan-to-vote" operation is pretty clear: voters will be given their QR codes pre-populated by some interested third party.
Yes, but there is no proof that the user actually used that QR to make their vote. This diminishes the incentive to buy votes because there is no verifiable proof of how someone voted.
I'm not saying it's a perfect solution, but it's more secure than mail-in ballots, which are currently in use and popular in many locations.
The issue isn't that someone can force you to vote a certain way or check that you voted in some way. The issue is that someone can make it outrageously convenient for you to make a whole set of uninformed votes.
Imagine you're very busy and haven't spent the time yet to figure out what to vote for. Someone tells you that if you vote a certain way, it will be great for a certain pet issue that you care about, and they give you (and many others) a QR code. The QR code contains a vote for one candidate who cares about the pet issue, but the rest of the votes in the QR code are all oriented around a different issue that you don't know about, don't care about, or actively care the other way about, but you don't notice and scan it and vote it as-is.
I don't mean this as a what-about, but it's worth noting: any ballots that list the party of the candidates or offer single-action straight-party votes are effectively a subtle form of a ballot pre-populated by an interested party.
I have at times followed an election guide verbatim. It's far more rational than voting straight ticket.
If it means it's easier to vote for those overwhelmed by all the various choices out there, then that's a win. If it means you can get your average millennial or Generation-Z friend to vote, someone who cares about social issues but can't be bothered to learn about local judges -- then that's a good thing. It could mean more accurate representation. It's better than letting the richest and most idle determine everything.
I don't understand how counting verification is achieved. Let's say that election officials release a list of hashed votes, so that you can verify that your vote has been counted and included into results. But how can you check that all other votes in the list are the votes from real people and not arbitrarily added by sysadmin to get the expected result?
Does anyone know how such things are implemented? I have read about e-voting in Estonia, but there one has to trust the authorities and cannot independently verify the results.
Also, there is another scenario. Let's say the rules allow to change the vote later. A voter votes for candidate X and gets a link that allows to verify that the vote is recorded. But several hours later the server software re-votes for candidate Y. If the voter bothers to check results after election, they will find that their vote was altered. But the voter has no proof that they didn't vote for candidate Y, and election officials have server logs that prove that the voter has voted two times. So probably the voter is just lying because they don't want to accept the fact that candidate Y is supported by 99% of population.
And one more scenario: before closing the elections, officials can make a list of people who didn't vote and vote for them. If they didn't vote they probably don't care about elections and won't find out that someone voted for them.
» And one more scenario: before closing the elections, officials can make a list of people who didn't vote and vote for them. If they didn't vote they probably don't care about elections and won't find out that someone voted for them.
This could already happen today. This is why all major candidates, even in these united states, send their own observers and not simply trust election officials to do their job.
I think you mean "does", or at least, "did". I have spoken with more than one political operative who has voted for the dead, for instance. Probably much more common in NYC (and other places suffering from machine politics, like Chicago).
What if it is not a public record? Also, even if it is a public record, how can you be sure that people in the voters list are real, they are eligible to vote in this region and not made up by authorities?
Also, even if the list of people who voted is public, and if results were falsified, with electronic voting you cannot estimate the scale of falsification. Did they alter just a hundred of votes or hundred thousands.
There are also lists of who lives in a county/state/country. If you suspect foul play you can further look up if John Doe is a person that lives in the 'right' place. Of course this doesn't solve the case where John Doe is a real person that is allowed to vote, but actually stayed home.
With paper voting, an observer can manually count the number of people coming to the polling station. With electronic voting, this becomes impossible, because you either only see the final list or (sometimes) you see the hashes of votes being cast in real time, but you don't know whether it is a real person or just sysadmin voting under name of a random person.
So with electronic voting, it becomes necessary to verify lists of voters.
You will typically get voter registration ID, just like in paper votes so you should be able to trace. The only thing different in electronic voting is that you sign vote with your private key which becomes your signature. So in theory, whatever can you do by receiving signed paper from someone, you can also do by encrypted content from someone.
> You will typically get voter registration ID, just like in paper votes so you should be able to trace. The only thing different in electronic voting is that you sign vote with your private key which becomes your signature. So in theory, whatever can you do by receiving signed paper from someone, you can also do by encrypted content from someone.
Either you're responding to the wrong comment or I'm failing to see how this is at all relevant to what I asked. How does tracing your own vote tell you if John Doe was fake?
I don't think it's desirable to let individual voters verify that their votes were counted. That means that the privacy of your vote can be compromised under duress a long time after the election.
Paper and pen, such a beautiful straightforward system, sacrificed in the altar of unnecessary use of technology.
I was surprised when I read that as well but reading further my impression was that you can confirm the contents of the ballot only while voting and then afterwards you only get access to a message along the lines of "Yes, vote a678b234 was correctly counted" or a message saying otherwise but not the contents of the ballot.
(which, while more secure, is also slightly less useful)
The mechanism for voter verification is based on homomorphic encryption. Numberphile made a video on this topic recently, with a few basic explainers: https://www.youtube.com/watch?v=BYRTvoZ3Rho
The system for verifiable receipts in the article does not require electronic voting in either the vote-casting or vote-counting process. It's an explicitly paper system.
Can someone smarter than me explain if this system maintains anonymity?
To a layperson, statements like the one below raise a flag. If I can track it electronically, is it also possible for someone else to see who voted for whom?
"After the election is complete, the tracker codes can be used by voters to confirm that their votes were not altered or tampered with and that they were properly counted"
Again, to a layperson the above statement seems potentially at odds with the one below at first blush (because I don't understand the technology):
"With homomorphic encryption, individually encrypted votes can be combined to form an encrypted tabulation of all votes which can then be decrypted to produce an election tally that protects voter privacy."
So we have privacy but electronic traceability to the individual voter? To the uninitiated like myself, it seems like we'd have to choose between electronic traceability and anonymity.
The system does not ensure anonymity as to who has voted, but it does maintain secrecy as to how you voted.
The idea is that you can have a public, verifiable "ledger" of voters. You can verify that you are on the list with your encrypted vote. I.e. you verify that your vote counts. You can match it to the receipt you received when voting. You do not, however possess the key to decrypt your vote or the vote of anyone else.
The public list can also be used (more work) to verify that only real people voted: They could presumably be contacted.
Homomorphic encryption allows the votes to be tallied while still encrypted. The result is an encrypted tally.
At this point someone with the decryption key can decrypt the final tally and reveal the result. Presumably this can happen per polling place.
Thank you for taking the time to clarify. So if I understand this correctly, the system can allow an individual to verify that their vote was counted but not validate that the vote was counted correctly?
From that perspective, it seems analogous to the system in use but perhaps more efficient. In other words, does this actually introduce any new features or just translate the existing features of the current system to a new medium?
I thought about some advantages of paper voting compared to electronic: you can spoil the ballot, for example, if you don't like any of candidates and there is no option titled "Against all". In electronic elections, you cannot do that.
As I understood the story (the photo of the ballot that is sometimes circulated is just one taken from Twitter), the ballot had Brexit written all over it, and an arrow pointing at the Tory candidate's name, so ended up counting it as a Tory vote because of that.
Actually, spoiled votes show how many voters turned up but did not like any of the candidates. It's a clear message to candidates that this is not voter apathy, the votes are there for the taking, but their policies and behaviors are not supported.
Not bothering to show up at all doesn't give any clear message.
There is slight difference. First, the number of spoilt ballots is published. Second, sometimes in two-round elections, they can affect whether the candidate wins in the first round or not if it requires to get 50% of all votes including spoilt ballots.
I've been accumulating a mental list of properties that would support less-exploitable, more-auditable paper balloting. This has a surprising number of the properties.
The main items I don't see represented are all roughly related to auditability for ballot chain of custody. I think issues/irregularities with the ballot chain of custody are probably good proxies for triaging hand-audit efforts.
The goal is knowing when ballots go missing, or turn up in unexpected places (but I'm not sure where the sweet spot is for securing that chain without making individual votes unmaskable). I think it's a similar process, with lots of identifiers, and lots of scanning. It would live or die by rapid, simple, reliable scanning.
This means scanning identified ballots into shipping boxes, and generating an identifier for the box based on which ballots were scanned in. A pallet gets an identifier based on the boxes that went in. Shipments get identifiers based on whatever combination of boxes/pallets they contain. Scan in boxes at the polling station and accumulate identifiers for the polling place. Perhaps per poll worker. Scan ballots out of the boxes, back into the completed-ballot boxes and/or trash. Cumulative identifiers for completed-ballot boxes, trashed ballots, and unused ballots are scanned back out of the poling place and at each step back up the chain again.
I think the whole point of this fancy homomorphic encryption-based system is that only the endpoints need to be verifiable, you no longer have to worry about chain of custody anymore. Kinda like how end-to-end encryption means you no longer have to trust every link in the network that connects you to the other party.
As long as you can verify that the final tally is correctly calculated from all the public encrypted votes, that those encrypted votes include yours, and none are by fake voters, who cares how the encrypted votes are transmitted to the body that officially calculates the final tally?
Maybe? I won't assert it doesn't, since I don't know. It certainly seems to be a tolerable solution to the questions of whether votes were changed, or whether ballots were disappeared without counting.
But I don't see how the ability of individuals to verify that their own vote was counted can sum, at scale, to verifying that real-but-fraudulent ballots aren't also in the total.
It seems like you could verify this if everyone who voted proved that their vote was included in the count and the full count was explained by everyone who proved they voted. In practice, that seems unlikely?
Well, currently, it's public whether someone voted (though of course not what their vote was). Assuming that's still true in this fancy system, that count would then have to match the count of how many encrypted votes there are, so you can't forge fake ballots from whole cloth (without people noticing). The best you could do is to try to defraud both systems, by identifying who won't vote and then submitting a fake vote for them.
Sure, you can't verify every single vote, but it doesn't take that much time/money to call up, say, 100 people (relative to the expense of running this whole system). If you contact 100 random people from the public record of who voted, and all 100 say "yes, I did actually vote", then the real result (excluding fraudulent votes) is unlikely to differ from the recorded result by more than 1%. And, obviously, you can drive that probability down as far as you want with more expense, but that'd only be important for rare close elections.
Good point; I wasn't factoring in the existing public voting records.
I'm not sure what the contact rates would look like if you tried, but retroactive sampling should have a good chance of spotting systemic abuse if response rates are sufficiently high. I guess you could even legislate random audit sample sizes based on the number of votes and victory margins.
I've been thinking about the values of end-to-end auditability as deterrence and public relations, but I agree that you could capture the majority of that benefit for a fraction of the cost and complexity with regular sample-based audits.
That does make sense; strong deterrence, and deterministic rather than probabilistic guarantees, are both better for legitimacy, probably.
I don't think there's any need to legislate random audit sample sizes; in practice, independent groups will do so. (And it's crucial to legitimacy that it's possible for independent groups to do so in the first place, of course.)
Lazy thinking, on my part. The thought was that mandatory audits would help maintain long-term confidence by avoiding erosion of confidence in long gaps where no specific evidence triggered audits. Minimum sample sizes would help protect the mechanism from undersized propaganda-audits that ultimately undermine trust in the audits themselves.
But you're right; it would probably be easier and more pernicious to do a sufficiently large audit but give the reins to partisans, ideologues, or incompetents. Fairly open access would be better, thouguh I'm sure there are still plenty of "interested" outside parties willing to perform propaganda audits for cheap. Not sure how to solve that.
Hmmmm, I guess the key is that each group's auditing process itself has to be open and "objective"---paper ballots are pretty easy in this regard, every group looking at the same ballot will usually agree who the vote is for. Math/encryption could possibly work too, at least in the sense of being "objective", although it has other legitimacy problems due to being difficult for lay people to understand and trust.
As far as I know, controversies over audits or the independent observers themselves being corrupted aren't really a problem in the US at least, so I'm not too worried about this.
If it takes 3 days instead of 1h to get the votes, I think it's worth the wait since elections are pretty important and with paper you can do a recount, find physical paper that's been thrown in the trash (happens every time in Italy), etc.
Also, these corporations seem to have a strong political bias, and how do we know they're not injecting their software with backdoors that would allow to manipulate results..?
> ElectionGuard provides a complete implementation of end-to-end verifiable elections. It is designed to work with systems that use paper ballots, supplementing today’s tabulation process by providing a means of public verification of the accuracy of reported results.
So, it sounds like you're entirely in support of this article, the only tiny change you want to make is for the paper to be counted FIRST, and then the eletronic tabulation to be used as a validator. And any discrepancy results in an investigation, no?
This is a nice effort, however, don't politicians actually want voting systems to be really messy? If so, they could shift the balance towards what they want at will. USA has one of the worst voting systems in the world, however, it keeps the balance of power, equilibrating elections, i.e., alternating Democrats and Republicans every eight years or so. If the voting system was spotless and verifiable and accountable, they couldn't mess with it!
>After the election is complete, the tracker codes can be used by voters to confirm that their votes were not altered or tampered with and that they were properly counted.
In Estonian e-voting they allowed to change the vote later or re-vote offline. So that if someone sold their vote or was forced to vote, they can later change their mind.
But such scheme is still vulnerable: for example, imagine if a large state-owned or having close ties with government company forces their employees to vote online under supervision. If the employees are not very good with computers or don't own one, they cannot change their vote online later, and employer can set their shifts to a voting day so that they cannot visit the polling station.
It's not just that. Some UK researchers also demonstrated how it was possible to confuse voters whose devices were infected by malware. The trick basically was to display X to the voter and send Y instead.
What you really want is some way for the voter to create plausible deniability. Like the voter should have multiple secret keys, one which allows them to confirm their vote was correctly tallied for themselves, and another one that allows them to trick an adversary into thinking they voted for an arbitrary candidate.
If I understand correctly schemer could agree to pay for votes, but had no way to verify the ballot was indeed cast for that candidate. With this system they could first verify the vote before paying. It's made possible by the information which is used to verify the vote. It's supposed to be kept secret by the vote, but could be shared with the schemer in order to get paid. This would make vote-buying schemes much more manageable.
However, there seems to be considerable risk to the voter. What's to prevent the schemer from not paying up? The vote is already cast, and what can the voter do? Sue the schemer? For not paying for a bought vote?
Imagine I ask the voting machine to give me 100 sealed envelopes with "Alice" written in them and 100 sealed envelopes with "Bob" written in them. I open and destroy 199 of them, verify that Alice votes are Alice votes and Bob votes are Bob votes. I then walk out of the voting booth with a sealed Alice envelope, then deposit it into the ballot box.
That's the "verifiable" step in here.
The only way for you to know who I voted for is if you were in that booth with me.
> The combination of the tracker – which allows individual voters to verify that their votes have been accurately recorded – and the verifier – which allows anyone to verify that the recorded votes have been accurately counted – enables full “end-to-end verification” of the correctness of election results.
I understood this to mean that I am able to use the tracker to verify that my vote was cast for a particular candidate.
Right - the way you verify that is by asking for 100 sealed Alice envelopes, and opening 99 of them at random. If the machine was trying to trick you, you have a strong chance of catching it. You still walk out with a sealed envelope, and the would-be vote-buyer can't be sure it isn't a Bob envelope.
It certainly has nothing to do with democracy, and intended to solve exactly one problem: Microsoft's need to increase revenue through sweet gov't funded contracts. Let's not be fooled by opensourced code, once the idea is sold to politicians, and media, someone should be contracted to implement this useless staff. And who's this going to be? Not hard to guess.
While I appreciate the cynicism, I'm not seeing how an open schema for tamper-evident verifiable voting machines could be anything other than positive.
For starters, the whole voting machines concept is a essentially a ploy to exploit wide-spread respect for computer technologies in society to sell hardware, and software. It reduces observability compared to pieces of paper, and doesn't solve any real problems.
I don't think Gates words from 2004 can be seen as policy statement for today's Msft. Apparently, a lot has changed.
> Microsoft will not charge for using ElectionGuard and will not profit from partnering with election technology suppliers that incorporate it into their products.
I'm not sure how much stronger of a statement they can make than that. There's no money in voting machines for Microsoft.
How is this relevant? This isn't an electronic voting system. It's a system for verifiable receipts that attach to paper systems.
> ElectionGuard provides a complete implementation of end-to-end verifiable elections. It is designed to work with systems that use paper ballots, supplementing today’s tabulation process by providing a means of public verification of the accuracy of reported results.
> ElectionGuard provides a complete implementation of end-to-end verifiable elections. It is designed to work with systems that use paper ballots, supplementing today’s tabulation process by providing a means of public verification of the accuracy of reported results.
Your electronic voting system can be mathematically perfect, but if nobody average can say from the outside that everything is going by the rules and it makes sense, then it is worthless.
This is why paper works so well: it takes not much skill to count it, it has to have a physical place (harder to make it vanish) and everybody can have their eyeballs glued to it, and if something fishy is going on, it is harder to hide from the average voting helper.
Even I as a programmer with some crypto knowledge would never be able to fully gurantee for the integrity of a voting system, because who knows what software version is running out there in the wild, and whom I have to trust on that one.
Paper has no software version and errors in the process can (and are) catched more easily.
Electronic voting is good for decision were power is not involved, or where the outcome doesn’t really matter. I’d rather improve what we have instead of replacing it with a mathematical sound blackbox that everybody can with perfectly rational reasons distrust when the vote went into the wrong direction.